RE: Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)
Cool..
Can you please post the patch to the list, so that ppl can review the
code,
and give their comments.
-Madhu
No problem!
Here is my short README describing the patch and its history form Apache
version 2.0.43 to 2.0.44:
Hello!
This is the distribution point for the Apache 2.0 as SSL Intermediary Patch.
Currently you need this patch to use Apache 2.0 as a trusted intermediary
in configuration with the SAP J2EE Engine.
The patch is subject to become part of the standard Apache 2.0 distribution.
Feedback welcome!
Maik ([EMAIL PROTECTED])
INSTRUCTIONS:
- extract the Apache 2.0.43 distribution (httpd-2.0.43.tar.gz)
- change directory to httpd-2.0.43
- apply the patch with -p1 (patch -p1 Apache-2.0.43-SSLintermediary.patch)
- follow the Apache INSTALL instructions
HISTORY:
02-12-30 initial release (available SAP internal)
03-01-07 httpd-2.0.43-patched-as-SSLintermediary.zip added
In this ZIP archive the Apache-2.0.43-SSLintermediary.patch is
already applied. More convenient for users not so familiar with the
usage of diff patch.
03-01-08 httpd-2.0.43-win32-src-patched-as-SSLintermediary.zip added
You cannot use the UNIX source to build the WIN32 binaries.
This ZIP archive contains the already patched version of
httpd-2.0.43-win32-src. Use it to build the WIN32 binaries.
If you want to apply Apache-2.0.43-SSLintermediary.patch to the
original httpd-2.0.43-win32-src be aware that you have to convert
CR-LFs in CR before applying the patch. In the successfully patched
files you can again expand CR to CR-LF.
03-01-20 Bug in base 64 padding found. The calculation of the number of
padding
characters ('=') needed computes wrong results in some cases.
03-02-07 Apache 2.0.44 Released
Apache-2.0.44-SSLintermediary.patch corresponds to
httpd-2.0.44.tar.gz
The documentation changes are NO longer part of the patch.
Download mod_headers_mai.html.en for proposed documentation
changes.
SSLproxy.conf is a good example for a proxy's mod_ssl
configuration.
The SAP proposed header names are use in the example added to the
mod_headers documentation (see mod_headers_mai.html.en).
And here follows the patch (My proposed changes to the HTML docu are now not
included in the patch. Please advice me if and how to post this changes to
mod_headers.html.en):
--- httpd-2.0.44.ori/modules/metadata/mod_headers.c Mon Nov 4 19:31:57 2002
+++ httpd-2.0.44/modules/metadata/mod_headers.c Fri Feb 7 18:00:18 2003
@@ -109,6 +109,7 @@
#include apr_lib.h
#include apr_strings.h
#include apr_buckets.h
+#include apr_base64.h
#include apr_hash.h
#define APR_WANT_STRFUNC
@@ -198,6 +199,62 @@
else
return (null);
}
+
+/* Base 64 encoded ASN.1 data is usually tagged with decorations of
+ * the following style:
+ * -BEGIN description-
+ * base64 encoded body
+ * -END description-
+ * The defines are used to search for such decorations.
+ */
+#define DECORATION_MARKER_BEGIN -BEGIN
+#define DECORATION_MARKER_END -END
+#define DECORATION_EOF_MARKER -
+
+static const char *header_request_env_varB64(request_rec *r, char *a)
+{
+ const char *s = apr_table_get(r-subprocess_env,a);
+ char *pStartBody = NULL;
+ char *pBehindBody = NULL;
+ char *ptr;
+
+ if (s) {
+/* search for decorations marking encapsulated base64 encoded data */
+ptr = strstr((char *)s, DECORATION_MARKER_BEGIN);
+if (ptr) {
+ ptr = strstr(ptr + strlen(DECORATION_MARKER_BEGIN),
DECORATION_EOF_MARKER);
+ if (ptr (ptr + strlen(DECORATION_EOF_MARKER) + 1) != '\0') {
+ /* explicit check that there are sitll chars in the string */
+ pStartBody = ptr + strlen(DECORATION_EOF_MARKER) + 1;
+
+ ptr = strstr(pStartBody, DECORATION_MARKER_END);
+ if (ptr strstr(ptr, DECORATION_EOF_MARKER))
+ pBehindBody = ptr;
+ }
+}
+
+if (pStartBody pBehindBody) {
+ /* encapsulated base64 encoded data found */
+ /* all except the body will be skipped */
+ *pBehindBody = '\0';
+ apr_base64_cleanB64(pStartBody);
+ return pStartBody;
+} else {
+ /* call apr_base64_encode() to encode the data */
+ int inlen = strlen(s);
+ int outsize = apr_base64_encode_len(inlen);
+ char *encoded = apr_palloc(r-pool, outsize);
+ int rc = apr_base64_encode(encoded, s, inlen);
+ if (rc outsize)
+ return (null);
+ else
+ return encoded;
+}
+ }
+ else
+return (null);
+}
+
/*
* Config routines
*/
@@ -407,7 +464,7 @@
/* Handle the envclause on Header */
if (envclause != NULL) {
-if (inout != hdr_out) {
+if (inout != hdr_out inout != hdr_in) {
return error: envclause (env=...) only valid on Header
directive;
}
if (strncasecmp(envclause, env=, 4) != 0) {
@@ -448,12 +505,23 @@
return
RE: Problems compiling mod_ssl with apache 2.0.44
-Original Message-
From: Geoff Thorpe [mailto:[EMAIL PROTECTED]]
Sent: 08 February 2003 18:08
To: [EMAIL PROTECTED]
Subject: Re: Problems compiling mod_ssl with apache 2.0.44
* Sasa STUPAR ([EMAIL PROTECTED]) wrote:
Ok, I have found the problem. If you want to have files in the same
directories as original instalation of RH8 you have to use ./config
--prefix=/usr. Sorry for that confusion. It is the
distribution which
is strange.
Phew, I was starting to wonder what I was missing here :-) As I
mentioned originally, using /usr/include as an installation prefix
doesn't make sense because it will create the standard
{include,bin,man}
tree beneath that and install. Hence /usr or /usr/local make more
sense. Also, especially on package management systems like RH, you're
better not to simply install *over* existing files, particularly as a
newer version of openssl may have removed headers that were in a
previous version, so the old ones will end up mixed up with the new
ones. And of course if a bug-fix release is made by RH to the older
version, eg. 0.9.6x, that could seriously screw things up if you'd
installed 0.9.7 over the top. It could also totally mangle
your system's
RPM database, and various other carnage is possible.
The solution is to either grapple with RH's dependencies to try and
build a replacement openssl RPM from source to upgrade to (which many
will tell you is an only slightly less difficult problem than the
alchemy of gold itself) or to install openssl elsewhere and make sure
your system paths are organised appropriately. Eg. you could use
/usr/local or /opt as a place to manually install packages such as a
newer openssl, and make sure that the bin subdirectory is earlier in
PATH than /usr/bin, ditto for the lib subdirectory in /etc/ld.so.conf,
the man subdirectory in /etc/man.config, and so on ...
Actually, it shouldn't make any difference to the installed RPM of
openssl-0.9.6b, provided that /usr/bin/openssl isn't overwritten. The
quickest way to check is with rpm -V openssl, which should return no
response. All your other points above are valid though. It is probably best
though to put newer stuff for Red Hat under /usr/local so you don't break
anything installed.
Now, upgrading openssl-0.9.6 on a Red Hat box (7.0-8.0 inclusive) will screw
things up bigtime (see the specific section in the openssl FAQ).
If there's sufficient demand I'll make up an openssl 0.9.7 RPM for RedHat
users. So far no-one has asked...
-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
Am I the only person in the UK who finds it strange that our Prime Minister
complains of Human Rights abuses around the world, yet wishes to opt out of
the European Convention of Human Rights?
-
NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.
RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.
Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.
RNIB Registered Charity Number: 226227
Website: http://www.rnib.org.uk
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Compiling mod_ssl as a DSO for Apache 1.3.12
Hi List Users I am trying to compile Apache with mod_ssl as a DSO, I'm using a relatively old version of Apache software as this particular version functions without errors on the system. The software versions are listed below Solaris 2.6 Apache 1.3.12 Modssl 2.6.6 I have read numerous articles on the internet concerning this procedure and have followed all the necessary steps, this has taken about a week and I still cannot get Apache to start without error when I use the apachectl startssl command. 1) I compile openssl 0.9.6b as follows a. make clean b. make test c. make build-shared This creates libssl.so, libssl.so.0 and libssl.so.0.9.6 2) I configure mod-ssl as follows a. ./configure \ --with-apache =/home/simon/apache_1.3.12 \ --with-ssl =/home/simon/Openssl_0.9.6b/openssl_0.9.6b \ --prefix =/home/simon/Apache12SO \ --enable-module=ssl 3) I compile Apache a. make b. make certificate c. make install I obtain the following errors A) Using the version of libssl.so created by compiling Apache, this is smaller than the libssl.so.0.9.6 created by modssl, and when loaded complains of unresolved symbols bash-2.02$ apachectl startssl Syntax error on line 208 of /home/simon/Apache12SO/conf/httpd.conf: Cannot load /home/simon/Apache12SO/libexec/libssl.so into server: ld.so.1 : /home/simon/Apache12SO/bin/httpd: fatal: relocation error: file :/home/simon/Apache12SO/libexec/libssl.so: symbol ap_user_id: referenced symbol not :found .//apachectl startssl: httpd could not be started B) Removing /usr/local/ssl/libfrom LD_LIBRARY_PATH bash-2.02$ echo $LD_LIBRARY_PATH /home/simon/Apache12SO/libexec:/usr/X/lib:/usr/openwin/lib:/usr/dt/lib:/oracle/oracle816/lib:/opt/ALCHTS/j2sdk1_3_1_01/lib:/usr/java1.1/lib: /opt/htuser/ALCHTS/bin/openldap/lib:/opt/htuser/ALCHTS/bin/apache/libexec:/usr/ucblib:/oracle/oracle816/jre/1.1.8/lib bash-2.02$ apachectl startssl Syntax error on line 208 of /home/simon/Apache12SO/conf/httpd.conf: Cannot load /home/simon/Apache12SO/libexec/libssl.so into server: ld.so.1: /home/simon/Apache12SO/bin/httpd: fatal: libcrypto.so.0.9.6: open failed: No such file or directory .//apachectl startssl: httpd could not be started __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Compiling mod_ssl as a DSO
Hi List Users I am trying to configure Apache to run with ModSSL as a DSO. I am using relatively old versions of software as this particular version of Apache functions on the system. The software versions are as follows Apache 1.3.12 Openssl_0.9.6b Modssl_2.6.6 I have read numerous articles both from the list forum and from articles found from internet searches. I have tried many options to configure Apache to run with SSL as a DSO over a period of a week and to date have not been successful. I have listed the errors I obtain and the steps I follow to compile Apache. I would be most grateful for any advice which may lead to the resolution of this problem. 1) Compile OpenSSL 0.9.6b as a shared object as follows a. make clean b. make test c. make build-shared 2) ./configure \ --enable-module=so --with-apache=/home/sxxx/apache_1.3.12 \ --with-ssl=/home/simon/Openssl-0.9.6b/openssl-0.9.6b \ --prefix=/home/simon/Apache12SO \ --enable-module=ssl 3) cd /home/sxxx/apache_1.3.12 make make certificate make install 4) The entry in the httpd.conf file is as follows IfDefine SSL LoadModule ssl_module libexec/libssl.so /IfDefine * This is the first error I obtain hometop1% apachectl startssl Syntax error on line 208 of /home/simon/Apache12SO/conf/httpd.conf: Cannot load /home/simon/Apache12SO/libexec/libssl.so into server: ld.so.1: /home/simon/Apache12SO/bin/httpd: fatal: libssl.so.0.9.6: open failed: No such file or directory .//apachectl startssl: httpd could not be started This is resolved by setting the LD_LIBRARY_PATH variable to /usr/local/ssl/lib bash-2.02$ export LD_LIBRARY_PATH:/usr/local/ssl/lib:$LD_LIBRARY_PATH * This is the next error I obtain after having set the LD_LIBRARY_PATH variable to bash-2.02$ apachectl startssl Syntax error on line 208 of /home/simon/Apache12SO/conf/httpd.conf: Cannot load /home/simon/Apache12SO/libexec/libssl.so into server: ld.so.1 : /home/simon/Apache12SO/bin/httpd: fatal: relocation error: file :/home/simon/Apache12SO/libexec/libssl.so: symbol ap_user_id: referenced symbol not :found .//apachectl startssl: httpd could not be started The next step I tried was * To directly copy libssl.so from Openssl to libexec using libssl.so from Openssl * To set the library path to point to /home/simon/Apache12SO/libexec only bash-2.02$ pwd /reserv/home/simon/Apache12SO/libexec bash-2.02$ ls -lisa total 2472 1188792 drwxr-xr-x 2 simonhtgroup 512 Feb 10 09:03 . 4206942 drwxrwxr-x 12 simonhtgroup 512 Feb 6 16:43 .. 118881 16 -rw-r--r-- 1 simonhtgroup 8153 Feb 7 10:57 httpd.exp 1188932 lrwxrwxrwx 1 simonhtgroup 11 Feb 10 09:03 libssl.so - libssl.so.0 112 lrwxrwxrwx 1 simonhtgroup 15 Feb 10 09:03 libssl.so.0 - libssl.so.0.9.6 118886 1920 -rwxrwxr-x 1 simonhtgroup 970983 Feb 7 12:45 libssl.so.0.9.6 118890 528 -rwxr-xr-x 1 simonhtgroup 256259 Feb 7 10:57 libssl.so.old This didn't work either and generated the following error, I notice that the file libssl.so.old generated when Apache was compiled is considerably smaller than the file libssl.so.0.9.6 copied from OpenSSL Syntax error on line 208 of /home/simon/Apache12SO/conf/httpd.conf: Can't locate API module structure `ssl_module' in file /home/simon/Apache12SO/libexec/libssl.so: ld.so.1: /home/simon/Apache12SO/bin/httpd: fatal: ssl_module: can't find symbol .//apachectl startssl: httpd could not be started regards Simon Donally __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Compiling mod_ssl as a DSO
Just to get things clear, openSSL is a library of functions which is used by (among other things) mod_ssl. So mod_ssl needs to know about openSSL but openSSL doesn't care which application is using it. Your installation paths are a bit idiosyncratic, which is OK as long as you have a clear idea about how everything is inter-related. I was a bit confused reading your posting so I'm suspecting apache is too. Generally, you should proceed as follows (if any of this strikes you as odd, then that might be the problem): - Install openSSL in /path/to/ssl - set SSL_BASE = /path/to/ssl - set LD_RUN_PATH = /usr/lib:/usr/local/lib:/path/to/ssl/lib (this avoids using LD_LIBRARY_PATH) - Unpack apache tar file in (e.g.) /tmp/apache - Unpack mod_ssl tar file in (e.g. /tmp/mod_ssl - in /tmp/mod_ssl, run ./configure --with-apache=/tmp/apache (this patches apache sources) - in /tmp/apache, run ./configure --prefix=/path/to/apache \ --enable-module=so \ --enable-shared=ssl \ --enable-module=ssl - make, make install This should leave libssl.so in /path/to/apache/libexec and /path/to/apache/bin/httpd should start without $LD_LIBRARY_PATH being set. Rgds, Owen Boyle PS - your versions are ancient... Are you sure the latest versions won't work? On the other hand, your versions are so old that -Original Message- From: Simon Donally [mailto:[EMAIL PROTECTED]] Sent: Montag, 10. Februar 2003 13:09 To: [EMAIL PROTECTED] Subject: Compiling mod_ssl as a DSO Hi List Users I am trying to configure Apache to run with ModSSL as a DSO. I am using relatively old versions of software as this particular version of Apache functions on the system. The software versions are as follows Apache 1.3.12 Openssl_0.9.6b Modssl_2.6.6 I have read numerous articles both from the list forum and from articles found from internet searches. I have tried many options to configure Apache to run with SSL as a DSO over a period of a week and to date have not been successful. I have listed the errors I obtain and the steps I follow to compile Apache. I would be most grateful for any advice which may lead to the resolution of this problem. 1) Compile OpenSSL 0.9.6b as a shared object as follows a. make clean b. make test c. make build-shared 2) ./configure \ --enable-module=so --with-apache=/home/sxxx/apache_1.3.12 \ --with-ssl=/home/simon/Openssl-0.9.6b/openssl-0.9.6b \ --prefix=/home/simon/Apache12SO \ --enable-module=ssl 3) cd /home/sxxx/apache_1.3.12 make make certificate make install 4) The entry in the httpd.conf file is as follows IfDefine SSL LoadModule ssl_module libexec/libssl.so /IfDefine * This is the first error I obtain hometop1% apachectl startssl Syntax error on line 208 of /home/simon/Apache12SO/conf/httpd.conf: Cannot load /home/simon/Apache12SO/libexec/libssl.so into server: ld.so.1: /home/simon/Apache12SO/bin/httpd: fatal: libssl.so.0.9.6: open failed: No such file or directory .//apachectl startssl: httpd could not be started This is resolved by setting the LD_LIBRARY_PATH variable to /usr/local/ssl/lib bash-2.02$ export LD_LIBRARY_PATH:/usr/local/ssl/lib:$LD_LIBRARY_PATH * This is the next error I obtain after having set the LD_LIBRARY_PATH variable to bash-2.02$ apachectl startssl Syntax error on line 208 of /home/simon/Apache12SO/conf/httpd.conf: Cannot load /home/simon/Apache12SO/libexec/libssl.so into server: ld.so.1 : /home/simon/Apache12SO/bin/httpd: fatal: relocation error: file /home/simon/Apache12SO/libexec/libssl.so: symbol ap_user_id: referenced symbol not found .//apachectl startssl: httpd could not be started The next step I tried was * To directly copy libssl.so from Openssl to libexec using libssl.so from Openssl * To set the library path to point to /home/simon/Apache12SO/libexec only bash-2.02$ pwd /reserv/home/simon/Apache12SO/libexec bash-2.02$ ls -lisa total 2472 1188792 drwxr-xr-x 2 simonhtgroup 512 Feb 10 09:03 . 4206942 drwxrwxr-x 12 simonhtgroup 512 Feb 6 16:43 .. 118881 16 -rw-r--r-- 1 simonhtgroup 8153 Feb 7 10:57 httpd.exp 1188932 lrwxrwxrwx 1 simonhtgroup 11 Feb 10 09:03 libssl.so - libssl.so.0 112 lrwxrwxrwx 1 simonhtgroup 15 Feb 10 09:03 libssl.so.0 - libssl.so.0.9.6 118886 1920 -rwxrwxr-x 1 simonhtgroup 970983 Feb 7 12:45 libssl.so.0.9.6 118890 528 -rwxr-xr-x 1 simonhtgroup 256259 Feb 7 10:57 libssl.so.old This didn't work either and generated the following error, I notice that the file libssl.so.old generated when Apache was compiled
Re: Problems compiling mod_ssl with apache 2.0.44
I have just got an email from another user of RH8 which has the same problem. I have told him to post it on the list. So looks like there is a problem. Sasa On 2/8/2003 12:48 AM, Geoff Thorpe a écrit: * Sasa STUPAR ([EMAIL PROTECTED]) wrote: No, It doesn't. I have compiled it with prefix /usr/include and openssldir /usr/include/openssl and there are no headers. I haven't noticed it on first but when I wanted to compile apache with mod_ssl it returns an error that it was unable to find headers for ssl. Is there someone else reporting the same problem ? Maybe is this related to the RedHat8 distrubution only. Well RH8 has openssl bundled though probably not with the headers, and I can't say much else about what RH might be doing because I don't use it. However, trying to install to a prefix of /usr/include would be pretty terrible - as it will install all binaries, libraries, and include files in *sub-directories* of /usr/include! Are you sure you did this, or did you mean /usr/local? Anyway, I'd be interested to see a log of this problem if you wouldn't mind? If there's an openssl bug inside it, I'll try and get it identified and fixed for the next release (0.9.7a). Eg. could you please repeat your steps and send me the logs as; # ./config [...] 1 c1.log 2 c2.log # make [...] 1 m1.log 2 m2.log # make install 1 i1.log 2 i2.log or something like that? Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems compiling mod_ssl with apache 2.0.44
I have forgot...Original instalation of RH8 has openssl in /usr/include/openssl and there are all the headers. Since this is a version 0.9.6.b I have decided to upgrade. I have made prefix=/usr/include and openssldir=/usr/include/openssl. So after the instalation it put the binary dir to /usr/include and to the /usr/include/openssl dirs apps, lib,etc. In /usr/include there are no headers so I have manually copy them to /usr/include/openssl. On 2/8/2003 12:48 AM, Geoff Thorpe a écrit: * Sasa STUPAR ([EMAIL PROTECTED]) wrote: No, It doesn't. I have compiled it with prefix /usr/include and openssldir /usr/include/openssl and there are no headers. I haven't noticed it on first but when I wanted to compile apache with mod_ssl it returns an error that it was unable to find headers for ssl. Is there someone else reporting the same problem ? Maybe is this related to the RedHat8 distrubution only. Well RH8 has openssl bundled though probably not with the headers, and I can't say much else about what RH might be doing because I don't use it. However, trying to install to a prefix of /usr/include would be pretty terrible - as it will install all binaries, libraries, and include files in *sub-directories* of /usr/include! Are you sure you did this, or did you mean /usr/local? Anyway, I'd be interested to see a log of this problem if you wouldn't mind? If there's an openssl bug inside it, I'll try and get it identified and fixed for the next release (0.9.7a). Eg. could you please repeat your steps and send me the logs as; # ./config [...] 1 c1.log 2 c2.log # make [...] 1 m1.log 2 m2.log # make install 1 i1.log 2 i2.log or something like that? Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems compiling mod_ssl with apache 2.0.44
Ok, I have found the problem. If you want to have files in the same directories as original instalation of RH8 you have to use ./config --prefix=/usr. Sorry for that confusion. It is the distribution which is strange. Sasa On 2/8/2003 10:22 AM, Sasa STUPAR a écrit: I have forgot...Original instalation of RH8 has openssl in /usr/include/openssl and there are all the headers. Since this is a version 0.9.6.b I have decided to upgrade. I have made prefix=/usr/include and openssldir=/usr/include/openssl. So after the instalation it put the binary dir to /usr/include and to the /usr/include/openssl dirs apps, lib,etc. In /usr/include there are no headers so I have manually copy them to /usr/include/openssl. On 2/8/2003 12:48 AM, Geoff Thorpe a écrit: * Sasa STUPAR ([EMAIL PROTECTED]) wrote: No, It doesn't. I have compiled it with prefix /usr/include and openssldir /usr/include/openssl and there are no headers. I haven't noticed it on first but when I wanted to compile apache with mod_ssl it returns an error that it was unable to find headers for ssl. Is there someone else reporting the same problem ? Maybe is this related to the RedHat8 distrubution only. Well RH8 has openssl bundled though probably not with the headers, and I can't say much else about what RH might be doing because I don't use it. However, trying to install to a prefix of /usr/include would be pretty terrible - as it will install all binaries, libraries, and include files in *sub-directories* of /usr/include! Are you sure you did this, or did you mean /usr/local? Anyway, I'd be interested to see a log of this problem if you wouldn't mind? If there's an openssl bug inside it, I'll try and get it identified and fixed for the next release (0.9.7a). Eg. could you please repeat your steps and send me the logs as; # ./config [...] 1 c1.log 2 c2.log # make [...] 1 m1.log 2 m2.log # make install 1 i1.log 2 i2.log or something like that? Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems compiling mod_ssl with apache 2.0.44
* Sasa STUPAR ([EMAIL PROTECTED]) wrote:
Ok, I have found the problem. If you want to have files in the same
directories as original instalation of RH8 you have to use ./config
--prefix=/usr. Sorry for that confusion. It is the distribution which
is strange.
Phew, I was starting to wonder what I was missing here :-) As I
mentioned originally, using /usr/include as an installation prefix
doesn't make sense because it will create the standard {include,bin,man}
tree beneath that and install. Hence /usr or /usr/local make more
sense. Also, especially on package management systems like RH, you're
better not to simply install *over* existing files, particularly as a
newer version of openssl may have removed headers that were in a
previous version, so the old ones will end up mixed up with the new
ones. And of course if a bug-fix release is made by RH to the older
version, eg. 0.9.6x, that could seriously screw things up if you'd
installed 0.9.7 over the top. It could also totally mangle your system's
RPM database, and various other carnage is possible.
The solution is to either grapple with RH's dependencies to try and
build a replacement openssl RPM from source to upgrade to (which many
will tell you is an only slightly less difficult problem than the
alchemy of gold itself) or to install openssl elsewhere and make sure
your system paths are organised appropriately. Eg. you could use
/usr/local or /opt as a place to manually install packages such as a
newer openssl, and make sure that the bin subdirectory is earlier in
PATH than /usr/bin, ditto for the lib subdirectory in /etc/ld.so.conf,
the man subdirectory in /etc/man.config, and so on ...
BTW: You should check your /usr/include tree that there aren't bits and
pieces of openssl cruft in there left over from your previous efforts -
eg. your previous installation attempts probably created weird
directories like /usr/include/bin, /usr/include/include, etc.
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Problems compiling mod_ssl with apache 2.0.44
Prior to the instalation I have manually removed old version of Openssl
and other dirs from my previous installs and I have no
problem...everything works well.
Thanks for info.
Sasa
On 2/8/2003 7:08 PM, Geoff Thorpe a écrit:
* Sasa STUPAR ([EMAIL PROTECTED]) wrote:
Ok, I have found the problem. If you want to have files in the same
directories as original instalation of RH8 you have to use ./config
--prefix=/usr. Sorry for that confusion. It is the distribution which
is strange.
Phew, I was starting to wonder what I was missing here :-) As I
mentioned originally, using /usr/include as an installation prefix
doesn't make sense because it will create the standard {include,bin,man}
tree beneath that and install. Hence /usr or /usr/local make more
sense. Also, especially on package management systems like RH, you're
better not to simply install *over* existing files, particularly as a
newer version of openssl may have removed headers that were in a
previous version, so the old ones will end up mixed up with the new
ones. And of course if a bug-fix release is made by RH to the older
version, eg. 0.9.6x, that could seriously screw things up if you'd
installed 0.9.7 over the top. It could also totally mangle your system's
RPM database, and various other carnage is possible.
The solution is to either grapple with RH's dependencies to try and
build a replacement openssl RPM from source to upgrade to (which many
will tell you is an only slightly less difficult problem than the
alchemy of gold itself) or to install openssl elsewhere and make sure
your system paths are organised appropriately. Eg. you could use
/usr/local or /opt as a place to manually install packages such as a
newer openssl, and make sure that the bin subdirectory is earlier in
PATH than /usr/bin, ditto for the lib subdirectory in /etc/ld.so.conf,
the man subdirectory in /etc/man.config, and so on ...
BTW: You should check your /usr/include tree that there aren't bits and
pieces of openssl cruft in there left over from your previous efforts -
eg. your previous installation attempts probably created weird
directories like /usr/include/bin, /usr/include/include, etc.
Cheers,
Geoff
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Problems compiling mod_ssl with apache 2.0.44
* Sasa STUPAR ([EMAIL PROTECTED]) wrote: Prior to the instalation I have manually removed old version of Openssl and other dirs from my previous installs and I have no problem...everything works well. Really? I'm surprised, but happy. RH typically build everything with shared-library dependencies on openssl libs, so either you're running no openssl-dependant software, or you're getting lucky with software built for 0.9.6 linking with 0.9.7 ... eg. ssh is possibly doing this. Anyway, I leave you and RH to get along with one another in whatever manner suits you both :-) Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems compiling mod_ssl with apache 2.0.44
to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems compiling mod_ssl with apache 2.0.44
I have just succesfully compiled apache 2.0.44 with mod_ssl and openssl 0.9.7 on RH8. First I have compiled openssl then apache and everything works fine. On trick after make install in openssl it doesn't copy headers so you have to manually copy them to your install directory. On 2/7/2003 10:25 AM, Erik Melkersson a écrit: Hi! Thanks for the reply. Geoff Thorpe wrote: ... The kind of linker error you report usually suggests the code was compiled against one openssl version's headers, but is trying to link against a different openssl version's libraries Yes, I tried to compile it against different openssl-version and didn't make clean in betweend (dumb fault by me) After cleaning and compiling again we get some other errors. undefined reference to OPENSSL_free, RAND_egd and RAND_status (se below for complete data) In order to make apache compile we - changed OPENSSL_free to CRYPTO_free in a #define in the modules/ssl/ headers file. (As that is done in openssl anyway) - commented out the 3+3 lines where RAND_egd and RAND_status are used in modules/ssl/ssl_engine_rand.c Now we can compile and use it over ssl even though commenting out non working code is propably a bad thing to do. ./configure --prefix=/service/apache2 --exec-prefix=/service/apache2/arch/linux-intel --enable-ssl --with-openssl=/service/apache2/openssl/ ...lots of rows... make ...lots of rows... /bin/sh /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/libtool --mode=link gcc -g -O2 -pthread-DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/include -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/include -I/service/apache2/openssl/include -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib -I. -I/usr/local/service/apache2/src/httpd-2.0.44/os/unix -I/usr/local/service/apache2/src/httpd-2.0.44/server/mpm/prefork -I/usr/local/service/apache2/src/httpd-2.0.44/modules/http -I/usr/local/service/apache2/src/httpd-2.0.44/modules/filters -I/usr/local/service/apache2/src/httpd-2.0.44/modules/proxy -I/usr/local/service/apache2/src/httpd-2.0.44/include -I/usr/local/ssl/include/openssl -I/usr/local/ssl/include -I/usr/local/service/apache2/src/httpd-2.0.44/modules/dav/main -export-dynamic -L/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib -L/usr/local/ssl/lib -o httpd modules.lo modules/aaa/mod_access.la modules/aaa/mod_auth.la modules/filters/mod_include.la modules/loggers/mod_log_config.la modules/metadata/mod_env.la modules/metadata/mod_setenvif.la modules/ssl/mod_ssl.la modules/http/mod_http.la modules/http/mod_mime.la modules/generators/mod_status.la modules/generators/mod_autoindex.la modules/generators/mod_asis.la modules/generators/mod_cgi.la modules/mappers/mod_negotiation.la modules/mappers/mod_dir.la modules/mappers/mod_imap.la modules/mappers/mod_actions.la modules/mappers/mod_userdir.la modules/mappers/mod_alias.la modules/mappers/mod_so.la server/mpm/prefork/libprefork.la server/libmain.la os/unix/libos.la -lssl -lcrypto /usr/local/service/apache2/src/httpd-2.0.44/srclib/pcre/libpcre.la /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/libaprutil-0.la -lgdbm -ldb /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib/libexpat.la /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/libapr-0.la -lm -lcrypt -lnsl -lresolv -ldl modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `ssl_hook_UserCheck': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:875: undefined reference to `OPENSSL_free' modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `ssl_callback_SSLVerify': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1206: undefined reference to `OPENSSL_free' /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1210: undefined reference to `OPENSSL_free' modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `ssl_callback_SSLVerify_CRL': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1469: undefined reference to `OPENSSL_free' modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `modssl_proxy_info_log': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1507: undefined reference to `OPENSSL_free' modules/ssl/.libs/mod_ssl.al(ssl_engine_rand.lo): In function `ssl_rand_seed': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_rand.c:125: undefined reference to `RAND_egd' /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_rand.c:163: undefined reference to `RAND_status' modules/ssl/.libs/mod_ssl.al(ssl_engine_vars.lo): In function `ssl_var_lookup_ssl_cert': /usr/local
RE: Problems compiling mod_ssl with apache 2.0.44
This is off the modssl track, but has anyone gotten frontpage extensions working for httpd-2.0.44? 2.0.40 is the supported version, and the install quits if that is not it. Just checking -Original Message- From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] Sent: Friday, February 07, 2003 2:39 AM To: [EMAIL PROTECTED] Subject: Re: Problems compiling mod_ssl with apache 2.0.44 I have just succesfully compiled apache 2.0.44 with mod_ssl and openssl 0.9.7 on RH8. First I have compiled openssl then apache and everything works fine. On trick after make install in openssl it doesn't copy headers so you have to manually copy them to your install directory. On 2/7/2003 10:25 AM, Erik Melkersson a écrit: Hi! Thanks for the reply. Geoff Thorpe wrote: ... The kind of linker error you report usually suggests the code was compiled against one openssl version's headers, but is trying to link against a different openssl version's libraries Yes, I tried to compile it against different openssl-version and didn't make clean in betweend (dumb fault by me) After cleaning and compiling again we get some other errors. undefined reference to OPENSSL_free, RAND_egd and RAND_status (se below for complete data) In order to make apache compile we - changed OPENSSL_free to CRYPTO_free in a #define in the modules/ssl/ headers file. (As that is done in openssl anyway) - commented out the 3+3 lines where RAND_egd and RAND_status are used in modules/ssl/ssl_engine_rand.c Now we can compile and use it over ssl even though commenting out non working code is propably a bad thing to do. ./configure --prefix=/service/apache2 --exec-prefix=/service/apache2/arch/linux-intel --enable-ssl --with-openssl=/service/apache2/openssl/ ...lots of rows... make ...lots of rows... /bin/sh /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/libtool --mode=link gcc -g -O2 -pthread-DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/include -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/include -I/service/apache2/openssl/include -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib -I. -I/usr/local/service/apache2/src/httpd-2.0.44/os/unix -I/usr/local/service/apache2/src/httpd-2.0.44/server/mpm/prefork -I/usr/local/service/apache2/src/httpd-2.0.44/modules/http -I/usr/local/service/apache2/src/httpd-2.0.44/modules/filters -I/usr/local/service/apache2/src/httpd-2.0.44/modules/proxy -I/usr/local/service/apache2/src/httpd-2.0.44/include -I/usr/local/ssl/include/openssl -I/usr/local/ssl/include -I/usr/local/service/apache2/src/httpd-2.0.44/modules/dav/main -export-dynamic -L/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib -L/usr/local/ssl/lib -o httpd modules.lo modules/aaa/mod_access.la modules/aaa/mod_auth.la modules/filters/mod_include.la modules/loggers/mod_log_config.la modules/metadata/mod_env.la modules/metadata/mod_setenvif.la modules/ssl/mod_ssl.la modules/http/mod_http.la modules/http/mod_mime.la modules/generators/mod_status.la modules/generators/mod_autoindex.la modules/generators/mod_asis.la modules/generators/mod_cgi.la modules/mappers/mod_negotiation.la modules/mappers/mod_dir.la modules/mappers/mod_imap.la modules/mappers/mod_actions.la modules/mappers/mod_userdir.la modules/mappers/mod_alias.la modules/mappers/mod_so.la server/mpm/prefork/libprefork.la server/libmain.la os/unix/libos.la -lssl -lcrypto /usr/local/service/apache2/src/httpd-2.0.44/srclib/pcre/libpcre.la /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/libaprutil-0.la -lgdbm -ldb /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib/libexpat.la /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/libapr-0.la -lm -lcrypt -lnsl -lresolv -ldl modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `ssl_hook_UserCheck': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:875: undefined reference to `OPENSSL_free' modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `ssl_callback_SSLVerify': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1206: undefined reference to `OPENSSL_free' /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1210: undefined reference to `OPENSSL_free' modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `ssl_callback_SSLVerify_CRL': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1469: undefined reference to `OPENSSL_free' modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `modssl_proxy_info_log': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1507: undefined reference to `OPENSSL_free' modules/ssl/.libs
RE: Problems compiling mod_ssl with apache 2.0.44
are you sure you wish to degrade the security of your apache server with front[age extensions? Frontpage and coldfusion have a nasty security history. Thanks, Ron DuFresne On Fri, 7 Feb 2003, Boulytchev, Vasiliy wrote: This is off the modssl track, but has anyone gotten frontpage extensions working for httpd-2.0.44? 2.0.40 is the supported version, and the install quits if that is not it. Just checking -Original Message- From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] Sent: Friday, February 07, 2003 2:39 AM To: [EMAIL PROTECTED] Subject: Re: Problems compiling mod_ssl with apache 2.0.44 I have just succesfully compiled apache 2.0.44 with mod_ssl and openssl 0.9.7 on RH8. First I have compiled openssl then apache and everything works fine. On trick after make install in openssl it doesn't copy headers so you have to manually copy them to your install directory. On 2/7/2003 10:25 AM, Erik Melkersson a écrit: Hi! Thanks for the reply. Geoff Thorpe wrote: ... The kind of linker error you report usually suggests the code was compiled against one openssl version's headers, but is trying to link against a different openssl version's libraries Yes, I tried to compile it against different openssl-version and didn't make clean in betweend (dumb fault by me) After cleaning and compiling again we get some other errors. undefined reference to OPENSSL_free, RAND_egd and RAND_status (se below for complete data) In order to make apache compile we - changed OPENSSL_free to CRYPTO_free in a #define in the modules/ssl/ headers file. (As that is done in openssl anyway) - commented out the 3+3 lines where RAND_egd and RAND_status are used in modules/ssl/ssl_engine_rand.c Now we can compile and use it over ssl even though commenting out non working code is propably a bad thing to do. ./configure --prefix=/service/apache2 --exec-prefix=/service/apache2/arch/linux-intel --enable-ssl --with-openssl=/service/apache2/openssl/ ...lots of rows... make ...lots of rows... /bin/sh /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/libtool --mode=link gcc -g -O2 -pthread-DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/include -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/include -I/service/apache2/openssl/include -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib -I. -I/usr/local/service/apache2/src/httpd-2.0.44/os/unix -I/usr/local/service/apache2/src/httpd-2.0.44/server/mpm/prefork -I/usr/local/service/apache2/src/httpd-2.0.44/modules/http -I/usr/local/service/apache2/src/httpd-2.0.44/modules/filters -I/usr/local/service/apache2/src/httpd-2.0.44/modules/proxy -I/usr/local/service/apache2/src/httpd-2.0.44/include -I/usr/local/ssl/include/openssl -I/usr/local/ssl/include -I/usr/local/service/apache2/src/httpd-2.0.44/modules/dav/main -export-dynamic -L/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib -L/usr/local/ssl/lib -o httpd modules.lo modules/aaa/mod_access.la modules/aaa/mod_auth.la modules/filters/mod_include.la modules/loggers/mod_log_config.la modules/metadata/mod_env.la modules/metadata/mod_setenvif.la modules/ssl/mod_ssl.la modules/http/mod_http.la modules/http/mod_mime.la modules/generators/mod_status.la modules/generators/mod_autoindex.la modules/generators/mod_asis.la modules/generators/mod_cgi.la modules/mappers/mod_negotiation.la modules/mappers/mod_dir.la modules/mappers/mod_imap.la modules/mappers/mod_actions.la modules/mappers/mod_userdir.la modules/mappers/mod_alias.la modules/mappers/mod_so.la server/mpm/prefork/libprefork.la server/libmain.la os/unix/libos.la -lssl -lcrypto /usr/local/service/apache2/src/httpd-2.0.44/srclib/pcre/libpcre.la /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/libaprutil-0.la -lgdbm -ldb /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib/libexpat.la /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/libapr-0.la -lm -lcrypt -lnsl -lresolv -ldl modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `ssl_hook_UserCheck': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:875: undefined reference to `OPENSSL_free' modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `ssl_callback_SSLVerify': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1206: undefined reference to `OPENSSL_free' /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1210: undefined reference to `OPENSSL_free' modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `ssl_callback_SSLVerify_CRL': /usr/local/service/apache2/src/httpd
Re: Problems compiling mod_ssl with apache 2.0.44
Hello, * Erik Melkersson ([EMAIL PROTECTED]) wrote: Geoff Thorpe wrote: ... The kind of linker error you report usually suggests the code was compiled against one openssl version's headers, but is trying to link against a different openssl version's libraries Yes, I tried to compile it against different openssl-version and didn't make clean in betweend (dumb fault by me) Ah, that would've helped :-) After cleaning and compiling again we get some other errors. undefined reference to OPENSSL_free, RAND_egd and RAND_status (se below for complete data) Erm ... In order to make apache compile we - changed OPENSSL_free to CRYPTO_free in a #define in the modules/ssl/ headers file. (As that is done in openssl anyway) - commented out the 3+3 lines where RAND_egd and RAND_status are used in modules/ssl/ssl_engine_rand.c None of this should be required if you are compiling against a matching set of openssl headers and libraries. I suggest for your own benefit that you get to the bottom of the problem rather than using the tricks you have - it is known (and in fact reiterated time after time by myself and other openssl developers) that no binary compatibility should be assumed from one openssl release to the next until at least version 1.0. So if you've had to hack to get past the linker stage, and you're so far lucky enough to have the basic functionality ok at run-time without any noticable explosions, you could still be sitting on a behavioural time-bomb. BTW: What you've done w.r.t. RAND_*** functions could cause your server to either (a) fail handshakes with certain client browsers due to PRNG problems, or worse (b) appear to negotiate fine with everyone despite using insecure parameters. Which of those risks is greater rather depends on how you've hacked apache2's code, but either way it shouldn't be required if your build environment (and openssl installation) is ok. Now we can compile and use it over ssl even though commenting out non working code is propably a bad thing to do. It is, and it could bite you in unknown ways later on. I'd recommend figuring out why you had to do the things you did to get apache working - it should be very straightforward and require no such hacking. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems compiling mod_ssl with apache 2.0.44
* Sasa STUPAR ([EMAIL PROTECTED]) wrote: I have just succesfully compiled apache 2.0.44 with mod_ssl and openssl 0.9.7 on RH8. First I have compiled openssl then apache and everything works fine. On trick after make install in openssl it doesn't copy headers so you have to manually copy them to your install directory. It doesn't? It certainly should - can you please double-check this and report the details to me if it's true? Noone (to my knowledge) has reported this problem and openssl 0.9.7 has been through a fairly extensive beta testing period (during which the header installation didn't AFAICS require any hacking). Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems compiling mod_ssl with apache 2.0.44
No, It doesn't. I have compiled it with prefix /usr/include and openssldir /usr/include/openssl and there are no headers. I haven't noticed it on first but when I wanted to compile apache with mod_ssl it returns an error that it was unable to find headers for ssl. Is there someone else reporting the same problem ? Maybe is this related to the RedHat8 distrubution only. Sasa On 2/7/2003 7:17 PM, Geoff Thorpe a écrit: * Sasa STUPAR ([EMAIL PROTECTED]) wrote: I have just succesfully compiled apache 2.0.44 with mod_ssl and openssl 0.9.7 on RH8. First I have compiled openssl then apache and everything works fine. On trick after make install in openssl it doesn't copy headers so you have to manually copy them to your install directory. It doesn't? It certainly should - can you please double-check this and report the details to me if it's true? Noone (to my knowledge) has reported this problem and openssl 0.9.7 has been through a fairly extensive beta testing period (during which the header installation didn't AFAICS require any hacking). Cheers, Geoff smime.p7s Description: S/MIME Cryptographic Signature
RE: Problems compiling mod_ssl with apache 2.0.44
I walked around the setups, and it works beautifully, the only thing I changed was the ./configure script in /usr/src/apache.blah/ to look in the correct folders for my ssl stuff. -Original Message- From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] Sent: Friday, February 07, 2003 11:59 AM To: [EMAIL PROTECTED] Subject: Re: Problems compiling mod_ssl with apache 2.0.44 No, It doesn't. I have compiled it with prefix /usr/include and openssldir /usr/include/openssl and there are no headers. I haven't noticed it on first but when I wanted to compile apache with mod_ssl it returns an error that it was unable to find headers for ssl. Is there someone else reporting the same problem ? Maybe is this related to the RedHat8 distrubution only. Sasa On 2/7/2003 7:17 PM, Geoff Thorpe a écrit: * Sasa STUPAR ([EMAIL PROTECTED]) wrote: I have just succesfully compiled apache 2.0.44 with mod_ssl and openssl 0.9.7 on RH8. First I have compiled openssl then apache and everything works fine. On trick after make install in openssl it doesn't copy headers so you have to manually copy them to your install directory. It doesn't? It certainly should - can you please double-check this and report the details to me if it's true? Noone (to my knowledge) has reported this problem and openssl 0.9.7 has been through a fairly extensive beta testing period (during which the header installation didn't AFAICS require any hacking). Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems compiling mod_ssl with apache 2.0.44
* Sasa STUPAR ([EMAIL PROTECTED]) wrote: No, It doesn't. I have compiled it with prefix /usr/include and openssldir /usr/include/openssl and there are no headers. I haven't noticed it on first but when I wanted to compile apache with mod_ssl it returns an error that it was unable to find headers for ssl. Is there someone else reporting the same problem ? Maybe is this related to the RedHat8 distrubution only. Well RH8 has openssl bundled though probably not with the headers, and I can't say much else about what RH might be doing because I don't use it. However, trying to install to a prefix of /usr/include would be pretty terrible - as it will install all binaries, libraries, and include files in *sub-directories* of /usr/include! Are you sure you did this, or did you mean /usr/local? Anyway, I'd be interested to see a log of this problem if you wouldn't mind? If there's an openssl bug inside it, I'll try and get it identified and fixed for the next release (0.9.7a). Eg. could you please repeat your steps and send me the logs as; # ./config [...] 1 c1.log 2 c2.log # make [...] 1 m1.log 2 m2.log # make install 1 i1.log 2 i2.log or something like that? Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems compiling mod_ssl with apache 2.0.44
Hi! (Sending this again after finally succesfully subscribing, so sorry if you get it twice) I'm trying to compile Apache 2.0.44 with mod_ssl and have some problems. I've downloaded and installed openssl-0.9.7. Using: ./config --prefix=/service/apache2/openssl/ --openssldir=/service/apache2/openssl/ I could use those files to compile cadaver. But when I try to compile apache: ./configure --prefix=/service/apache2 --exec-prefix=/service/apache2/arch/linux-intel --enable-dav --enable-ssl --with-ssl=/service/apache2/openssl/ ...a lot of rows... make ...a lot of rows... /bin/sh /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/libtool --silent --mode=link gcc -g -O2 -pthread-DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/include -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/include -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib -I. -I/usr/local/service/apache2/src/httpd-2.0.44/os/unix -I/usr/local/service/apache2/src/httpd-2.0.44/server/mpm/prefork -I/usr/local/service/apache2/src/httpd-2.0.44/modules/http -I/usr/local/service/apache2/src/httpd-2.0.44/modules/filters -I/usr/local/service/apache2/src/httpd-2.0.44/modules/proxy -I/usr/local/service/apache2/src/httpd-2.0.44/include -I/service/apache2/openssl//include/openssl -I/service/apache2/openssl//include -I/usr/local/service/apache2/src/httpd-2.0.44/modules/dav/main -export-dynamic -L/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib -L/service/apache2/openssl//lib -o httpd modules.lo modules/aaa/mod_access.la modules/aaa/mod_auth.la modules/filters/mod_include.la modules/loggers/mod_log_config.la modules/metadata/mod_env.la modules/metadata/mod_setenvif.la modules/ssl/mod_ssl.la modules/http/mod_http.la modules/http/mod_mime.la modules/dav/main/mod_dav.la modules/generators/mod_status.la modules/generators/mod_autoindex.la modules/generators/mod_asis.la modules/generators/mod_cgi.la modules/dav/fs/mod_dav_fs.la modules/mappers/mod_negotiation.la modules/mappers/mod_dir.la modules/mappers/mod_imap.la modules/mappers/mod_actions.la modules/mappers/mod_userdir.la modules/mappers/mod_alias.la modules/mappers/mod_so.la server/mpm/prefork/libprefork.la server/libmain.la os/unix/libos.la -lssl -lcrypto /usr/local/service/apache2/src/httpd-2.0.44/srclib/pcre/libpcre.la /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/libaprutil-0.la -lgdbm -ldb /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib/libexpat.la /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/libapr-0.la -lm -lcrypt -lnsl -lresolv -ldl modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_INFO_value' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_NAME_value' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_NAME_push' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_SSL_CIPHER_num' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_NAME_num' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_SSL_CIPHER_value' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_pop_free' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_NAME_ENTRY_num' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_SSL_CIPHER_dup' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_REVOKED_value' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_INFO_num' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_value' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_NAME_ENTRY_value' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_num' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_SSL_CIPHER_free' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_INFO_pop_free' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_NAME_set_cmp_func' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_push' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_NAME_free' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_INFO_new_null' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_NAME_new' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_NAME_find' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_REVOKED_num' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_SSL_CIPHER_find' modules/ssl/.libs/mod_ssl.so: undefined reference to `sk_X509_INFO_free' modules/ssl/.libs/mod_ssl.so: undefined reference to `OPENSSL_free' collect2: ld returned 1 exit status make[1]: *** [httpd] Error 1 make[1]: Leaving directory `/usr/local/service/apache2/src/httpd-2.0.44' make: *** [all-recursive] Error 1 Am I missing a lib or something that should have the sk_-stuff? Some help would be appreciated? Regards Erik Melkersson -- __ Erik Melkersson, Technical
Re: Problems compiling mod_ssl with apache 2.0.44
Hello, My first guess would be that you have another version of openssl libraries and/or headers installed on your system. The kind of linker error you report usually suggests the code was compiled against one openssl version's headers, but is trying to link against a different openssl version's libraries. If my hunch is right, you have an older version of openssl installed on the system and your code is using the older version's headers but trying to link against your 0.9.7 installation in /service/apache2/openssl. I can't test any of this right now so I'm flying a little blind, but here's a couple of ideas; (1) If you can (even temporarily) move the system's existing openssl headers (and libs, for safety) out of the way and try again, you would see if apache finds the correct headers and libs for sure. (2) Try forcing the include path in a different way, eg; configure apache2 like; # export CFLAGS=-I/service/apache2/openssl/include # ./configure --prefix=/service/apache2/ etc ... Good luck, Geoff PS: If that leads nowhere, you may want to post your query to one of the apache2 mailing lists - a version of mod_ssl is now included there and this sort of configuration issue is quite different between adding mod_ssl to apache 1.3 and using apache2's builtin version. -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache-SSL vs mod_ssl
-Original Message- From: rmck [mailto:[EMAIL PROTECTED]] Whats the benefit of mod_ssl compared to Apache-SSL??? One has got mod in its name and the other hasn't :-) I am not expert enough to comment on the two implementations of SSL technology so I restrict myself to the useability differences: Apache-SSL is a monolithic program with the SSL functionality hard-coded into apache. This leads to a large binary. Also, many SSL directives are *required* in the config in order for it to work. mod_ssl allows you to add or remove SSL functionality to an already working apache (assuming you compiled with EAPI and DSO). So you have more flexibility. In a single server set-up, there is probably little to choose from between the two, however, I could imagine a multi-apache environment where you wanted some servers with SSL and some without. mod_ssl would be a good choice there. As far as I can see, there is no difference between Apache-SSL and apache with mod_ssl statically compiled - both lead to a monolithic, SSL-aware binary. Finally, in my experience, mod_ssl tracks apache updates really fast. Usually a new mod_ssl is ready within a day of a new apache version. Apache-SSL tends to be slower and is sometimes a few versions behind Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache-SSL vs mod_ssl
Whats the benefit of mod_ssl compared to Apache-SSL??? Thanks Rob __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache-SSL vs mod_ssl
Whats the benefit of mod_ssl compared to Apache-SSL??? mod_ssl is derived originally from Apache SSL mod_ssl is more widely used than Apache SSL Apache SSL supports Apache 1.x mod_ssl supports Apache 1.x and 2.x Cheers Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache-SSL vs mod_ssl
On Wed, 22 Jan 2003, rmck wrote: Whats the benefit of mod_ssl compared to Apache-SSL??? Bells and whistles that you may or may not need. Suggest you look over the list of supported configuration directives for each to see which one better fits your site. Note that Apache 2.0 includes mod_ssl as part of the standard distribution. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
our apache+mod_ssl server vulnerable?
Hi, My question is whether our www server has a critical vulnerability or not. If someone knows it, please tell me. We are using apache1.3.27 mod_ssl 2.8.12 with OpenSSL0.9.6e on HP-UX11.0. I think mod_ssl of this version with default settings would disable a countermeasure to OpenSSL0.9.6's vulnerability. Why I think so is that an option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS has been added in OpenSSL 0.9.6e and mod_ssl looks using this option. We'd like to use the above www server because some www browser on Cellerphone in Japan cannot establish SSL connection to a www server which doesn't use the option. Regards --- J.Arakawa __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
CRL verification failed on apache-mod_ssl 2.0.40
Hi everybody I am using Apache 2.0.40 with mod_ssl 2.0.40-11 on a Linux Redhat 8.0. I have configured apache in order to have a secured area where clients must authenticate themselves with certificates. Until this point everything works fine. But when I added the crl verification feature, I got the followin errror message: [Fri Jan 10 12:21:09 2003] [error] Re-negotiation handshake failed: Not accepted by client!? [Fri Jan 10 12:21:09 2003] [error] Spurious SSL handshake interrupt [Hint: Usually just one of those OpenSSL confusions!?] [Fri Jan 10 12:21:11 2003] [warn] Invalid signature on CRL [Fri Jan 10 12:21:11 2003] [error] Certificate Verification: Error (8): CRL signature failure [Fri Jan 10 12:21:11 2003] [error] Re-negotiation handshake failed: Not accepted by client!? [Fri Jan 10 12:21:11 2003] [error] SSL handshake failed (server 192.168.2.237:443, client 192.168.2.178) [Fri Jan 10 12:21:11 2003] [error] SSL Library Error: 336130161 error:1408F071:lib(20):func(143):reason(113) Apache says that crl signature is wrong but when I verify it using the openssl command line, the result is OK !? Has anybody experienced this problem ? Any idea on how to fix it? Thanks a lot. attachment: winmail.dat
Apache/mod_ssl and Netscape 4.79
After enabling mod_ssl, I have found that Netscape 4.79 will, occassionally, hang when accessing content on an HTTPS web site. This seems to occur when accessing documents generated using server-side includes that contain references to cascading style sheets, logos, etc. maintained on a common system. Is this a known issue with older versions of Netscape? Merton Campbell Crockett -- BEGIN: vcard VERSION:3.0 FN: Merton Campbell Crockett ORG:General Dynamics Advanced Information Systems; Intelligence Solutions N: Crockett;Merton;Campbell EMAIL;TYPE=internet:[EMAIL PROTECTED] TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=pager,msg: +1(877)528-0049 TEL;TYPE=fax,work: +1(805)497-5050 TEL;TYPE=cell,voice,msg:+1(805)377-6762 END:vcard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: DoS attack on mod_ssl 2.8.12 ??
There is a major thread running on the openssl list about this very thing (Slapper worm)... Starts here: http://www.mail-archive.com/openssl-users@openssl.org/msg29762.html Rgds, Owen Boyle -Original Message- From: Sergey Strakhov [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 19. Dezember 2002 17:04 To: [EMAIL PROTECTED] Cc: Pedro Nascimento; Greg Davydouski Subject: DoS attack on mod_ssl 2.8.12 ?? Hello, We are experiencing problems with our Win32 Apache 1.3.27 with mod_ssl 2.8.12 + openssl 0.9.6g running on Windows 2000. It is a sort of DoS attack that makes our web site totally inaccessible. One of those attacks was captured with Ethereal. The dump is attached. As you can see, the attack is accomplished through both HTTP (80) and HTTPS (443) ports. First, the connection is opened to the HTTP port and a malformed HTTP/1.1 GET request (with no Host: header) is sent to the HTTP port (probably with an intention to produce a crash described in http://www.cert.org/advisories/CA-2002-27.html or just to determine the host's Server version). The server responds with HTTP/1.1 400 Bad request and closes the connection. After that the attacker starts opening connections to the HTTPS port. One of them is used to send SSLv2 Client Hello request. From this point the web server starts rejecting all incoming connections and the web site stops responding on both HTTP and HTTPS ports. The error log usually contains records like: [..time..] [error] [client ..] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [..time..] [error] Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting Is this problem related to mod_ssl anyhow? Do you expect any fix for this problem soon? Regards P.S. We have the ThreadsPerChild parameter of httpd.conf set to 10. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
DoS attack on mod_ssl 2.8.12 ??
Hello, We are experiencing problems with our Win32 Apache 1.3.27 with mod_ssl 2.8.12 + openssl 0.9.6g running on Windows 2000. It is a sort of DoS attack that makes our web site totally inaccessible. One of those attacks was captured with Ethereal. The dump is attached. As you can see, the attack is accomplished through both HTTP (80) and HTTPS (443) ports. First, the connection is opened to the HTTP port and a malformed HTTP/1.1 GET request (with no Host: header) is sent to the HTTP port (probably with an intention to produce a crash described in http://www.cert.org/advisories/CA-2002-27.html or just to determine the host's Server version). The server responds with HTTP/1.1 400 Bad request and closes the connection. After that the attacker starts opening connections to the HTTPS port. One of them is used to send SSLv2 Client Hello request. From this point the web server starts rejecting all incoming connections and the web site stops responding on both HTTP and HTTPS ports. The error log usually contains records like: [..time..] [error] [client ..] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [..time..] [error] Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting Is this problem related to mod_ssl anyhow? Do you expect any fix for this problem soon? Regards P.S. We have the ThreadsPerChild parameter of httpd.conf set to 10. filtered Description: Binary data
RE: DoS attack on mod_ssl 2.8.12 ??
I have heard from several sources Apache version 1.x for Windows does not thread very well. The first real Win32 version is Apache 2.0. This does not answer your question, I know, but it's something to consider in formulating a long-term solution. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sergey Strakhov Sent: Thursday, December 19, 2002 8:04 AM To: [EMAIL PROTECTED] Cc: Pedro Nascimento; Greg Davydouski Subject: DoS attack on mod_ssl 2.8.12 ?? Hello, We are experiencing problems with our Win32 Apache 1.3.27 with mod_ssl 2.8.12 + openssl 0.9.6g running on Windows 2000. It is a sort of DoS attack that makes our web site totally inaccessible. One of those attacks was captured with Ethereal. The dump is attached. As you can see, the attack is accomplished through both HTTP (80) and HTTPS (443) ports. First, the connection is opened to the HTTP port and a malformed HTTP/1.1 GET request (with no Host: header) is sent to the HTTP port (probably with an intention to produce a crash described in http://www.cert.org/advisories/CA-2002-27.html or just to determine the host's Server version). The server responds with HTTP/1.1 400 Bad request and closes the connection. After that the attacker starts opening connections to the HTTPS port. One of them is used to send SSLv2 Client Hello request. From this point the web server starts rejecting all incoming connections and the web site stops responding on both HTTP and HTTPS ports. The error log usually contains records like: [..time..] [error] [client ..] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [..time..] [error] Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting Is this problem related to mod_ssl anyhow? Do you expect any fix for this problem soon? Regards P.S. We have the ThreadsPerChild parameter of httpd.conf set to 10. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: DoS attack on mod_ssl 2.8.12 ??
On Thu, 2002-12-19 at 11:03, Sergey Strakhov wrote: Hello, We are experiencing problems with our Win32 Apache 1.3.27 with mod_ssl 2.8.12 + openssl 0.9.6g running on Windows 2000. It is a sort of DoS attack that makes our web site totally inaccessible. One of those attacks was captured with Ethereal. The dump is attached. As you can see, the attack is accomplished through both HTTP (80) and HTTPS (443) ports. First, the connection is opened to the HTTP port and a malformed HTTP/1.1 GET request (with no Host: header) is sent to the HTTP port (probably with an intention to produce a crash described in http://www.cert.org/advisories/CA-2002-27.html or just to determine the host's Server version). The server responds with HTTP/1.1 400 Bad request and closes the connection. After that the attacker starts opening connections to the HTTPS port. One of them is used to send SSLv2 Client Hello request. From this point the web server starts rejecting all incoming connections and the web site stops responding on both HTTP and HTTPS ports. The error log usually contains records like: [..time..] [error] [client ..] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [..time..] [error] Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting Is this problem related to mod_ssl anyhow? Do you expect any fix for this problem soon? Regards P.S. We have the ThreadsPerChild parameter of httpd.conf set to 10. Your code is very much out of date ... it is exploitable and DOSable I saw many people in the summer describe similar reports as yours, prompting me to build Apache binaries for many of those that were suffering. You cannot continue to run with openssl 0.9.6g -- openssl 0.9.6h is the current version. My advice is do not waste your time trying to understand it. You can get reliable up-to-date binaries from me ;) Other people are downloading the binaries as well. http://hunter.campbus.com/ Apache_1.3.27-Mod_SSL_2.8.11-OpenSSL_0.9.6h-Win32.zip http://hunter.campbus.com/Openssl-0.9.6h-Win32.zip http://hunter.campbus.com/Apache_2.0.43-OpenSSL_0.9.6h-Win32.zip You can also get them from my server ... md5's are avaialble from my server as well. http://tor.ath.cx/~hunter/ Apache_1.3.27-Mod_SSL_2.8.11-OpenSSL_0.9.6h-Win32.zip http://tor.ath.cx/~hunter/Openssl-0.9.6h-Win32.zip http://tor.ath.cx/~hunter/Apache_2.0.43-OpenSSL_0.9.6h-Win32.zip You are welcome to contac me directly h u n t e r @ t o r . a t h . c x If you need instructions on how to rebuild the code, I have to look for them - they are messy (for Apache2) and can be found in the archives - search for 'apache hunter masm' -- apache 1.3.27 is easy to build let me know if you need help. hunter __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: POST with mod_ssl intermittently fails with a 405
Will the file be fairly large then?
Try setting these to 8M and 16M respectively (if you have enough memory that
is), do a reload of the config and see if the problem repeats. It may be the
case that there is a large overhead on the forms that you are submitting
(since each field becomes a PHP variable).
John
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: 17 December 2002 17:39
To: [EMAIL PROTECTED]
Subject: RE: POST with mod_ssl intermittently fails with a 405
I've got an upload_max_filesize = 2M and a memory_limit = 8M
and I'm POSTing
10 fields of about 20 characters each! I'm using POST because
there will
later be a file attached, but at the moment there isn't. So
it can't really
be that, can it ?
-JP
On Tue, 17 Dec 2002, [EMAIL PROTECTED] wrote:
Oops. I meant to say that you should have memory_limit twice
upload_max_filesize. I've had problem when they've both
been the same.
John
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: 17 December 2002 16:50
To: [EMAIL PROTECTED]
Subject: RE: POST with mod_ssl intermittently fails with a 405
I've upgraded to 0.9.6h and recompiled Apache. No change.
Still get the
hint in the error_log. Any other ideas ?
-JP
On Tue, 17 Dec 2002, Boyle Owen wrote:
Your openSSL libs are a bit old - there have been many
important code
updates since 0.9.6b. In particular, the most recent
update (0.9.6h)
fixed race condition bugs that were causing intermittent
failures. Try
an upgrade first, I would advise...
Rgds,
Owen Boyle
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: Dienstag, 17. Dezember 2002 16:07
To: [EMAIL PROTECTED]
Subject: POST with mod_ssl intermittently fails with a 405
Hello,
I've got an self-built Apache on a RedHat 7.3 Linux box with
Apache/2.0.43,
mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and
mod_authzldap 0.22
Every so often a PHP page is called with a POST request to
send data to the
server. The whole server area is protected via the following
settings in
ssl.conf:
Directory /var/www/html/ca
Options Indexes FollowSymLinks ExecCGI
DirectoryIndex index.php index.cgi
SSLOptions FakeBasicAuth ExportCertData CompatEnvVars
StrictRequire StdEnvVars OptRenegotiate
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 4
SSLRequire ( \
%{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \
%{SSL_CLIENT_I_DN_CN} eq my CA )
AuthzLDAPEngine on
AuthzLDAPAuthoritative on
AuthzLDAPServer localhost:389
AuthzLDAPBindDN
cn=manager,dc=mydomain,dc=com
AuthzLDAPBindPassword terriblysecret
AuthzLDAPUseCertificate on
AuthzLDAPSetAuthorization on
AuthzLDAPUseSerial on
AuthzLDAPMapBase
ou=AuthzLDAPCertmap,dc=mydomain,dc=com
AuthzLDAPMapScope subtree
AuthzLDAPLogLevel warn
AuthzLDAPCacheConnectionoff
AuthzLDAPCacheSize 0
AuthNameAuthzLDAP
AuthTypeBasic
/Directory
and with the following require in .htaccess of the
same directory:
require user CN=Jan-Piet [EMAIL PROTECTED]
GET operations always work perfectly (BTW almost all resources
are .PHP).
Once in a while a POST method is attempted which then
sometimes fails (not
always). When it has failed, subsequent GET methods on
different pages do
not work either. After a certain time which always differs,
the GET will work
and the following POST also.
I've tried changing SSLSessionCache to `shm' and SSLMutex to
`sem' thinking
it had something to do with it, but to no avail. The value of
SSLSessionCacheTimeout
doesn't seem to matter either.
At the time of the failure, the logs have this in them:
error_log:
[Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43
(Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b PHP/4.2.3 configured --
resuming normal operations
[Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation
in conjunction with POST method not supported!
hint: try SSLOptions +OptRenegotiate
access_log:
10.0.0.1 - - [17/Dec/2002:15:48:08 +0100] POST
/ca/ra/upd.php HTTP/1.1 405 312
10.0.0.1 - - [17/Dec/2002:15:48:28 +0100] GET
/ca/ra/req.php HTTP/1.1 403 292
10.0.0.1 - CN=Jan-Piet [EMAIL PROTECTED]
[17/Dec/2002:15:49:21 +0100] GET /ca/ra/req.php
HTTP
RE: POST with mod_ssl intermittently fails with a 405
No change. Initially all works fine. If I set SSLSessionCacheTimeout to 15
the 405 followed by 403 errors occur immediately! Otherwise when set to 3600
the errors occur at different intervals. What now ?
Thanks regards,
-JP
On Wed, 18 Dec 2002, [EMAIL PROTECTED] wrote:
Will the file be fairly large then?
Try setting these to 8M and 16M respectively (if you have enough memory that
is), do a reload of the config and see if the problem repeats. It may be the
case that there is a large overhead on the forms that you are submitting
(since each field becomes a PHP variable).
John
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: 17 December 2002 17:39
To: [EMAIL PROTECTED]
Subject: RE: POST with mod_ssl intermittently fails with a 405
I've got an upload_max_filesize = 2M and a memory_limit = 8M
and I'm POSTing
10 fields of about 20 characters each! I'm using POST because
there will
later be a file attached, but at the moment there isn't. So
it can't really
be that, can it ?
-JP
On Tue, 17 Dec 2002, [EMAIL PROTECTED] wrote:
Oops. I meant to say that you should have memory_limit twice
upload_max_filesize. I've had problem when they've both
been the same.
John
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: 17 December 2002 16:50
To: [EMAIL PROTECTED]
Subject: RE: POST with mod_ssl intermittently fails with a 405
I've upgraded to 0.9.6h and recompiled Apache. No change.
Still get the
hint in the error_log. Any other ideas ?
-JP
On Tue, 17 Dec 2002, Boyle Owen wrote:
Your openSSL libs are a bit old - there have been many
important code
updates since 0.9.6b. In particular, the most recent
update (0.9.6h)
fixed race condition bugs that were causing intermittent
failures. Try
an upgrade first, I would advise...
Rgds,
Owen Boyle
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: Dienstag, 17. Dezember 2002 16:07
To: [EMAIL PROTECTED]
Subject: POST with mod_ssl intermittently fails with a 405
Hello,
I've got an self-built Apache on a RedHat 7.3 Linux box with
Apache/2.0.43,
mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and
mod_authzldap 0.22
Every so often a PHP page is called with a POST request to
send data to the
server. The whole server area is protected via the following
settings in
ssl.conf:
Directory /var/www/html/ca
Options Indexes FollowSymLinks ExecCGI
DirectoryIndex index.php index.cgi
SSLOptions FakeBasicAuth ExportCertData CompatEnvVars
StrictRequire StdEnvVars OptRenegotiate
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 4
SSLRequire ( \
%{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \
%{SSL_CLIENT_I_DN_CN} eq my CA )
AuthzLDAPEngine on
AuthzLDAPAuthoritative on
AuthzLDAPServer localhost:389
AuthzLDAPBindDN
cn=manager,dc=mydomain,dc=com
AuthzLDAPBindPassword terriblysecret
AuthzLDAPUseCertificate on
AuthzLDAPSetAuthorization on
AuthzLDAPUseSerial on
AuthzLDAPMapBase
ou=AuthzLDAPCertmap,dc=mydomain,dc=com
AuthzLDAPMapScope subtree
AuthzLDAPLogLevel warn
AuthzLDAPCacheConnectionoff
AuthzLDAPCacheSize 0
AuthNameAuthzLDAP
AuthTypeBasic
/Directory
and with the following require in .htaccess of the
same directory:
require user CN=Jan-Piet [EMAIL PROTECTED]
GET operations always work perfectly (BTW almost all resources
are .PHP).
Once in a while a POST method is attempted which then
sometimes fails (not
always). When it has failed, subsequent GET methods on
different pages do
not work either. After a certain time which always differs,
the GET will work
and the following POST also.
I've tried changing SSLSessionCache to `shm' and SSLMutex to
`sem' thinking
it had something to do with it, but to no avail. The value of
SSLSessionCacheTimeout
doesn't seem to matter either.
At the time of the failure, the logs have this in them:
error_log:
[Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43
(Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b PHP/4.2.3 configured --
resuming normal operations
[Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation
RE: Mod_ssl and apache 2.0.40
Sorry, I have a mistake in configuration in reality the directives in
ssl.conf are :
Location /test
Location /telechargement
RewriteEngineon
RewriteCond %{HTTPS} !=on
RewriteRule ^/home/httpd/html/telechargement/(.*)$
https://%{SERVER_NAME}/telechargement/$1 [R,L]
/Location
I test http://machine.site/telechargement/fichier.htmlwriteEngineon
In reality, i have several questions :
Why http_2.0.40 loops and why apache_1.3.27 doesn't loop?
ANd why the server see the url that I am testing
http://machine.site/telechargement/fichier.html like
/home/httpd/html/telechargement/fichier.html
Perhaps it's idiot question but i'd like someone answer this.
Thanks.
Françoise TUKALO
STNA 8IS
Tel : 05 62 14 53 95
Fax : 05 62 14 54 02
email : [EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: POST with mod_ssl intermittently fails with a 405
This error might be related to bug http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355 http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355 , as your error message [Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation in conjunction with POST method not supported! hint: try SSLOptions +OptRenegotiate suggests. My interpretation (not sure). On an existing SSL connection (established with a GET request), subsequent POSTs are possible. But after timeout of this connection, if the first request for the new establishment of connection is POST, it sometimes (or always?) fails. Therefor the intermittend error only. You can produce this error always, if you do Verify client for single directories only, not for the whole server. By the way: The hint with +OptRenegotiate does not help for the above bug. Hope it helps. Wolf Dr. Wolf-Dietrich Moeller Siemens AG, CT IC 3, D-81730 München Corporate Technology Department Security Mch P, Tel. +49 89 636-53391, Fax -48000 mailto:HYPERLINK mailto:[EMAIL PROTECTED][EMAIL PROTECTED] mailto:HYPERLINK Intranet https://security.ct.siemens.de/ https://security.ct.siemens.de/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: POST with mod_ssl intermittently fails with a 405
Thank you, Wolf-Dietrich! You are right. The bug documents my problem exactly. I'm disappointed that there seems to be no solution... Regards, -JP On Tue, 17 Dec 2002, Moeller Wolf-Dietrich wrote: This error might be related to bug http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355 http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355 , as your error message [Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation in conjunction with POST method not supported! hint: try SSLOptions +OptRenegotiate suggests. My interpretation (not sure). On an existing SSL connection (established with a GET request), subsequent POSTs are possible. But after timeout of this connection, if the first request for the new establishment of connection is POST, it sometimes (or always?) fails. Therefor the intermittend error only. You can produce this error always, if you do Verify client for single directories only, not for the whole server. By the way: The hint with +OptRenegotiate does not help for the above bug. Hope it helps. Wolf Dr. Wolf-Dietrich Moeller Siemens AG, CT IC 3, D-81730 München Corporate Technology Department Security Mch P, Tel. +49 89 636-53391, Fax -48000 mailto:HYPERLINK mailto:[EMAIL PROTECTED][EMAIL PROTECTED] mailto:HYPERLINK Intranet https://security.ct.siemens.de/ https://security.ct.siemens.de/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Mod_ssl and apache 2.0.40
It is an obvious loop. Why are you suprised that this loops? Please
provide:
1) Example of incoming URL
2) What you want it to translate to
Rgds,
Owen Boyle
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Montag, 16. Dezember 2002 15:32
To: [EMAIL PROTECTED]
Subject: Mod_ssl and apache 2.0.40
Hello,
I install on a PC linux redhat 8.0 a web server apache 2.0.40
and mod ssl
0.9.6b (configuration include in redhat 8.0)
I want to access a directory of my site with ssl. The
directory site pages
have been written in html without ssl.
To avoid the rewritting of all pages, I try to put the
following directives
in /etc/httpd/conf.d/ssl.conf
Location /test
RewriteEngineon
RewriteCond %{HTTPS} !=on
RewriteRule ^/home/httpd/html/telechargement/(.*)$
https://%{SERVER_NAME}/telechargement/$1 [R,L]
/Location
If I test http://machine.site/telechargement/fichier.html. The server
permanently loops .
I obtain the following messages in ssl_access_log :
143.196.30.134 - - [10/Dec/2002:11:00:22 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
I read a lot of archives of the mail and the faq of apache. I have seen
that a lot of solutions for this matter has been
found with apache 1.3.*. So i compile apache_1.3.27 with
mod-ssl_2.8.12 on
the same PC. I test this server with the same config and it works fine.
Does anyone know where the problem is?
Regards
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
POST with mod_ssl intermittently fails with a 405
Hello,
I've got an self-built Apache on a RedHat 7.3 Linux box with Apache/2.0.43,
mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and mod_authzldap 0.22
Every so often a PHP page is called with a POST request to send data to the
server. The whole server area is protected via the following settings in
ssl.conf:
Directory /var/www/html/ca
Options Indexes FollowSymLinks ExecCGI
DirectoryIndex index.php index.cgi
SSLOptions FakeBasicAuth ExportCertData CompatEnvVars StrictRequire StdEnvVars
OptRenegotiate
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 4
SSLRequire ( \
%{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \
%{SSL_CLIENT_I_DN_CN} eq my CA )
AuthzLDAPEngine on
AuthzLDAPAuthoritative on
AuthzLDAPServer localhost:389
AuthzLDAPBindDN cn=manager,dc=mydomain,dc=com
AuthzLDAPBindPassword terriblysecret
AuthzLDAPUseCertificate on
AuthzLDAPSetAuthorization on
AuthzLDAPUseSerial on
AuthzLDAPMapBaseou=AuthzLDAPCertmap,dc=mydomain,dc=com
AuthzLDAPMapScope subtree
AuthzLDAPLogLevel warn
AuthzLDAPCacheConnectionoff
AuthzLDAPCacheSize 0
AuthNameAuthzLDAP
AuthTypeBasic
/Directory
and with the following require in .htaccess of the same directory:
require user CN=Jan-Piet [EMAIL PROTECTED]
GET operations always work perfectly (BTW almost all resources are .PHP).
Once in a while a POST method is attempted which then sometimes fails (not
always). When it has failed, subsequent GET methods on different pages do
not work either. After a certain time which always differs, the GET will work
and the following POST also.
I've tried changing SSLSessionCache to `shm' and SSLMutex to `sem' thinking
it had something to do with it, but to no avail. The value of SSLSessionCacheTimeout
doesn't seem to matter either.
At the time of the failure, the logs have this in them:
error_log:
[Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43 (Unix) mod_ssl/2.0.43
OpenSSL/0.9.6b PHP/4.2.3 configured -- resuming normal operations
[Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation in conjunction with POST
method not supported!
hint: try SSLOptions +OptRenegotiate
access_log:
10.0.0.1 - - [17/Dec/2002:15:48:08 +0100] POST /ca/ra/upd.php HTTP/1.1 405
312
10.0.0.1 - - [17/Dec/2002:15:48:28 +0100] GET /ca/ra/req.php HTTP/1.1 403 292
10.0.0.1 - CN=Jan-Piet [EMAIL PROTECTED] [17/Dec/2002:15:49:21
+0100] GET /ca/ra/req.php HTTP/1.1 200 4936
ssl_request_log:
[17/Dec/2002:15:48:08 +0100] 10.0.0.1 TLSv1 RC4-MD5 POST /ca/ra/upd.php
HTTP/1.1 312 s_dn=-, issuer=-
The clients are a mixture of Mozilla 1.2 and Internet Explorer 6.0 all
with a client cert issued by my CA. The issue affects both clients (Netscape
4.5 shows the same)
Can someone help me resolve this, please ?
Thank you very much.
Regards,
-JP
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: POST with mod_ssl intermittently fails with a 405
Your openSSL libs are a bit old - there have been many important code
updates since 0.9.6b. In particular, the most recent update (0.9.6h)
fixed race condition bugs that were causing intermittent failures. Try
an upgrade first, I would advise...
Rgds,
Owen Boyle
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: Dienstag, 17. Dezember 2002 16:07
To: [EMAIL PROTECTED]
Subject: POST with mod_ssl intermittently fails with a 405
Hello,
I've got an self-built Apache on a RedHat 7.3 Linux box with
Apache/2.0.43,
mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and mod_authzldap 0.22
Every so often a PHP page is called with a POST request to
send data to the
server. The whole server area is protected via the following
settings in
ssl.conf:
Directory /var/www/html/ca
Options Indexes FollowSymLinks ExecCGI
DirectoryIndex index.php index.cgi
SSLOptions FakeBasicAuth ExportCertData CompatEnvVars
StrictRequire StdEnvVars OptRenegotiate
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 4
SSLRequire ( \
%{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \
%{SSL_CLIENT_I_DN_CN} eq my CA )
AuthzLDAPEngine on
AuthzLDAPAuthoritative on
AuthzLDAPServer localhost:389
AuthzLDAPBindDN cn=manager,dc=mydomain,dc=com
AuthzLDAPBindPassword terriblysecret
AuthzLDAPUseCertificate on
AuthzLDAPSetAuthorization on
AuthzLDAPUseSerial on
AuthzLDAPMapBase
ou=AuthzLDAPCertmap,dc=mydomain,dc=com
AuthzLDAPMapScope subtree
AuthzLDAPLogLevel warn
AuthzLDAPCacheConnectionoff
AuthzLDAPCacheSize 0
AuthNameAuthzLDAP
AuthTypeBasic
/Directory
and with the following require in .htaccess of the same directory:
require user CN=Jan-Piet [EMAIL PROTECTED]
GET operations always work perfectly (BTW almost all resources
are .PHP).
Once in a while a POST method is attempted which then
sometimes fails (not
always). When it has failed, subsequent GET methods on
different pages do
not work either. After a certain time which always differs,
the GET will work
and the following POST also.
I've tried changing SSLSessionCache to `shm' and SSLMutex to
`sem' thinking
it had something to do with it, but to no avail. The value of
SSLSessionCacheTimeout
doesn't seem to matter either.
At the time of the failure, the logs have this in them:
error_log:
[Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43
(Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b PHP/4.2.3 configured --
resuming normal operations
[Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation
in conjunction with POST method not supported!
hint: try SSLOptions +OptRenegotiate
access_log:
10.0.0.1 - - [17/Dec/2002:15:48:08 +0100] POST
/ca/ra/upd.php HTTP/1.1 405 312
10.0.0.1 - - [17/Dec/2002:15:48:28 +0100] GET
/ca/ra/req.php HTTP/1.1 403 292
10.0.0.1 - CN=Jan-Piet [EMAIL PROTECTED]
[17/Dec/2002:15:49:21 +0100] GET /ca/ra/req.php HTTP/1.1 200 4936
ssl_request_log:
[17/Dec/2002:15:48:08 +0100] 10.0.0.1 TLSv1 RC4-MD5
POST /ca/ra/upd.php HTTP/1.1 312 s_dn=-, issuer=-
The clients are a mixture of Mozilla 1.2 and Internet Explorer 6.0 all
with a client cert issued by my CA. The issue affects both
clients (Netscape
4.5 shows the same)
Can someone help me resolve this, please ?
Thank you very much.
Regards,
-JP
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List
RE: POST with mod_ssl intermittently fails with a 405
I've just re-read the original posters message, and it is possible that when
they say the system is self-built that they built an older version of
openssl. However, given what I've already said that is unlikely.
-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
I know it sounds cocky, but I honestly believe that one day there'll be a
telephone in every Town in America - Alexander Graham Bell
-Original Message-
From: Boyle Owen [mailto:[EMAIL PROTECTED]]
Sent: 17 December 2002 15:19
To: [EMAIL PROTECTED]
Subject: RE: POST with mod_ssl intermittently fails with a 405
Your openSSL libs are a bit old - there have been many important code
updates since 0.9.6b. In particular, the most recent update (0.9.6h)
fixed race condition bugs that were causing intermittent failures. Try
an upgrade first, I would advise...
Rgds,
Owen Boyle
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: Dienstag, 17. Dezember 2002 16:07
To: [EMAIL PROTECTED]
Subject: POST with mod_ssl intermittently fails with a 405
Hello,
I've got an self-built Apache on a RedHat 7.3 Linux box with
Apache/2.0.43,
mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and mod_authzldap 0.22
Every so often a PHP page is called with a POST request to
send data to the
server. The whole server area is protected via the following
settings in
ssl.conf:
Directory /var/www/html/ca
Options Indexes FollowSymLinks ExecCGI
DirectoryIndex index.php index.cgi
SSLOptions FakeBasicAuth ExportCertData CompatEnvVars
StrictRequire StdEnvVars OptRenegotiate
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 4
SSLRequire ( \
%{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \
%{SSL_CLIENT_I_DN_CN} eq my CA )
AuthzLDAPEngine on
AuthzLDAPAuthoritative on
AuthzLDAPServer localhost:389
AuthzLDAPBindDN
cn=manager,dc=mydomain,dc=com
AuthzLDAPBindPassword terriblysecret
AuthzLDAPUseCertificate on
AuthzLDAPSetAuthorization on
AuthzLDAPUseSerial on
AuthzLDAPMapBase
ou=AuthzLDAPCertmap,dc=mydomain,dc=com
AuthzLDAPMapScope subtree
AuthzLDAPLogLevel warn
AuthzLDAPCacheConnectionoff
AuthzLDAPCacheSize 0
AuthNameAuthzLDAP
AuthTypeBasic
/Directory
and with the following require in .htaccess of the same directory:
require user CN=Jan-Piet [EMAIL PROTECTED]
GET operations always work perfectly (BTW almost all resources
are .PHP).
Once in a while a POST method is attempted which then
sometimes fails (not
always). When it has failed, subsequent GET methods on
different pages do
not work either. After a certain time which always differs,
the GET will work
and the following POST also.
I've tried changing SSLSessionCache to `shm' and SSLMutex to
`sem' thinking
it had something to do with it, but to no avail. The value of
SSLSessionCacheTimeout
doesn't seem to matter either.
At the time of the failure, the logs have this in them:
error_log:
[Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43
(Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b PHP/4.2.3 configured --
resuming normal operations
[Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation
in conjunction with POST method not supported!
hint: try SSLOptions +OptRenegotiate
access_log:
10.0.0.1 - - [17/Dec/2002:15:48:08 +0100] POST
/ca/ra/upd.php HTTP/1.1 405 312
10.0.0.1 - - [17/Dec/2002:15:48:28 +0100] GET
/ca/ra/req.php HTTP/1.1 403 292
10.0.0.1 - CN=Jan-Piet [EMAIL PROTECTED]
[17/Dec/2002:15:49:21 +0100] GET /ca/ra/req.php HTTP/1.1 200 4936
ssl_request_log:
[17/Dec/2002:15:48:08 +0100] 10.0.0.1 TLSv1 RC4-MD5
POST /ca/ra/upd.php HTTP/1.1 312 s_dn=-, issuer=-
The clients are a mixture of Mozilla 1.2 and Internet
Explorer 6.0 all
with a client cert issued by my CA. The issue affects both
clients (Netscape
4.5 shows the same)
Can someone help me resolve this, please ?
Thank you very much.
Regards,
-JP
_
_
Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived
RE: POST with mod_ssl intermittently fails with a 405
It is just Apache PHP mod_authzldap that are self-built (i.e. compiled).
The rest of the system is a vanilla RedHat 7.3.
-JP
On Tue, 17 Dec 2002, [EMAIL PROTECTED] wrote:
I've just re-read the original posters message, and it is possible that when
they say the system is self-built that they built an older version of
openssl. However, given what I've already said that is unlikely.
-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
I know it sounds cocky, but I honestly believe that one day there'll be a
telephone in every Town in America - Alexander Graham Bell
-Original Message-
From: Boyle Owen [mailto:[EMAIL PROTECTED]]
Sent: 17 December 2002 15:19
To: [EMAIL PROTECTED]
Subject: RE: POST with mod_ssl intermittently fails with a 405
Your openSSL libs are a bit old - there have been many important code
updates since 0.9.6b. In particular, the most recent update (0.9.6h)
fixed race condition bugs that were causing intermittent failures. Try
an upgrade first, I would advise...
Rgds,
Owen Boyle
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: Dienstag, 17. Dezember 2002 16:07
To: [EMAIL PROTECTED]
Subject: POST with mod_ssl intermittently fails with a 405
Hello,
I've got an self-built Apache on a RedHat 7.3 Linux box with
Apache/2.0.43,
mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and mod_authzldap 0.22
Every so often a PHP page is called with a POST request to
send data to the
server. The whole server area is protected via the following
settings in
ssl.conf:
Directory /var/www/html/ca
Options Indexes FollowSymLinks ExecCGI
DirectoryIndex index.php index.cgi
SSLOptions FakeBasicAuth ExportCertData CompatEnvVars
StrictRequire StdEnvVars OptRenegotiate
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 4
SSLRequire ( \
%{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \
%{SSL_CLIENT_I_DN_CN} eq my CA )
AuthzLDAPEngine on
AuthzLDAPAuthoritative on
AuthzLDAPServer localhost:389
AuthzLDAPBindDN
cn=manager,dc=mydomain,dc=com
AuthzLDAPBindPassword terriblysecret
AuthzLDAPUseCertificate on
AuthzLDAPSetAuthorization on
AuthzLDAPUseSerial on
AuthzLDAPMapBase
ou=AuthzLDAPCertmap,dc=mydomain,dc=com
AuthzLDAPMapScope subtree
AuthzLDAPLogLevel warn
AuthzLDAPCacheConnectionoff
AuthzLDAPCacheSize 0
AuthNameAuthzLDAP
AuthTypeBasic
/Directory
and with the following require in .htaccess of the same directory:
require user CN=Jan-Piet [EMAIL PROTECTED]
GET operations always work perfectly (BTW almost all resources
are .PHP).
Once in a while a POST method is attempted which then
sometimes fails (not
always). When it has failed, subsequent GET methods on
different pages do
not work either. After a certain time which always differs,
the GET will work
and the following POST also.
I've tried changing SSLSessionCache to `shm' and SSLMutex to
`sem' thinking
it had something to do with it, but to no avail. The value of
SSLSessionCacheTimeout
doesn't seem to matter either.
At the time of the failure, the logs have this in them:
error_log:
[Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43
(Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b PHP/4.2.3 configured --
resuming normal operations
[Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation
in conjunction with POST method not supported!
hint: try SSLOptions +OptRenegotiate
access_log:
10.0.0.1 - - [17/Dec/2002:15:48:08 +0100] POST
/ca/ra/upd.php HTTP/1.1 405 312
10.0.0.1 - - [17/Dec/2002:15:48:28 +0100] GET
/ca/ra/req.php HTTP/1.1 403 292
10.0.0.1 - CN=Jan-Piet [EMAIL PROTECTED]
[17/Dec/2002:15:49:21 +0100] GET /ca/ra/req.php HTTP/1.1 200 4936
ssl_request_log:
[17/Dec/2002:15:48:08 +0100] 10.0.0.1 TLSv1 RC4-MD5
POST /ca/ra/upd.php HTTP/1.1 312 s_dn=-, issuer=-
The clients are a mixture of Mozilla 1.2 and Internet
Explorer 6.0 all
with a client cert issued by my CA. The issue affects both
clients (Netscape
4.5 shows the same)
Can someone help me resolve this, please ?
Thank you very much.
Regards,
-JP
_
_
Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List
RE: POST with mod_ssl intermittently fails with a 405
I've upgraded to 0.9.6h and recompiled Apache. No change. Still get the
hint in the error_log. Any other ideas ?
-JP
On Tue, 17 Dec 2002, Boyle Owen wrote:
Your openSSL libs are a bit old - there have been many important code
updates since 0.9.6b. In particular, the most recent update (0.9.6h)
fixed race condition bugs that were causing intermittent failures. Try
an upgrade first, I would advise...
Rgds,
Owen Boyle
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: Dienstag, 17. Dezember 2002 16:07
To: [EMAIL PROTECTED]
Subject: POST with mod_ssl intermittently fails with a 405
Hello,
I've got an self-built Apache on a RedHat 7.3 Linux box with
Apache/2.0.43,
mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and mod_authzldap 0.22
Every so often a PHP page is called with a POST request to
send data to the
server. The whole server area is protected via the following
settings in
ssl.conf:
Directory /var/www/html/ca
Options Indexes FollowSymLinks ExecCGI
DirectoryIndex index.php index.cgi
SSLOptions FakeBasicAuth ExportCertData CompatEnvVars
StrictRequire StdEnvVars OptRenegotiate
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 4
SSLRequire ( \
%{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \
%{SSL_CLIENT_I_DN_CN} eq my CA )
AuthzLDAPEngine on
AuthzLDAPAuthoritative on
AuthzLDAPServer localhost:389
AuthzLDAPBindDN cn=manager,dc=mydomain,dc=com
AuthzLDAPBindPassword terriblysecret
AuthzLDAPUseCertificate on
AuthzLDAPSetAuthorization on
AuthzLDAPUseSerial on
AuthzLDAPMapBase
ou=AuthzLDAPCertmap,dc=mydomain,dc=com
AuthzLDAPMapScope subtree
AuthzLDAPLogLevel warn
AuthzLDAPCacheConnectionoff
AuthzLDAPCacheSize 0
AuthNameAuthzLDAP
AuthTypeBasic
/Directory
and with the following require in .htaccess of the same directory:
require user CN=Jan-Piet [EMAIL PROTECTED]
GET operations always work perfectly (BTW almost all resources
are .PHP).
Once in a while a POST method is attempted which then
sometimes fails (not
always). When it has failed, subsequent GET methods on
different pages do
not work either. After a certain time which always differs,
the GET will work
and the following POST also.
I've tried changing SSLSessionCache to `shm' and SSLMutex to
`sem' thinking
it had something to do with it, but to no avail. The value of
SSLSessionCacheTimeout
doesn't seem to matter either.
At the time of the failure, the logs have this in them:
error_log:
[Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43
(Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b PHP/4.2.3 configured --
resuming normal operations
[Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation
in conjunction with POST method not supported!
hint: try SSLOptions +OptRenegotiate
access_log:
10.0.0.1 - - [17/Dec/2002:15:48:08 +0100] POST
/ca/ra/upd.php HTTP/1.1 405 312
10.0.0.1 - - [17/Dec/2002:15:48:28 +0100] GET
/ca/ra/req.php HTTP/1.1 403 292
10.0.0.1 - CN=Jan-Piet [EMAIL PROTECTED]
[17/Dec/2002:15:49:21 +0100] GET /ca/ra/req.php HTTP/1.1 200 4936
ssl_request_log:
[17/Dec/2002:15:48:08 +0100] 10.0.0.1 TLSv1 RC4-MD5
POST /ca/ra/upd.php HTTP/1.1 312 s_dn=-, issuer=-
The clients are a mixture of Mozilla 1.2 and Internet Explorer 6.0 all
with a client cert issued by my CA. The issue affects both
clients (Netscape
4.5 shows the same)
Can someone help me resolve this, please ?
Thank you very much.
Regards,
-JP
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised
RE: POST with mod_ssl intermittently fails with a 405
Sorry to be slow on the uptake. How big is your POST? I had an issue with
memory_limit, post_max_size and upload_max_filesize (all in /etc/php.ini).
If your POST is bigger than the limits within php, the script may give up.
This could be the cause of what you are seeing.
-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
I know it sounds cocky, but I honestly believe that one day there'll be a
telephone in every Town in America - Alexander Graham Bell (my paraphrase)
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: 17 December 2002 16:50
To: [EMAIL PROTECTED]
Subject: RE: POST with mod_ssl intermittently fails with a 405
I've upgraded to 0.9.6h and recompiled Apache. No change.
Still get the
hint in the error_log. Any other ideas ?
-JP
On Tue, 17 Dec 2002, Boyle Owen wrote:
Your openSSL libs are a bit old - there have been many
important code
updates since 0.9.6b. In particular, the most recent update (0.9.6h)
fixed race condition bugs that were causing intermittent
failures. Try
an upgrade first, I would advise...
Rgds,
Owen Boyle
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: Dienstag, 17. Dezember 2002 16:07
To: [EMAIL PROTECTED]
Subject: POST with mod_ssl intermittently fails with a 405
Hello,
I've got an self-built Apache on a RedHat 7.3 Linux box with
Apache/2.0.43,
mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and mod_authzldap 0.22
Every so often a PHP page is called with a POST request to
send data to the
server. The whole server area is protected via the following
settings in
ssl.conf:
Directory /var/www/html/ca
Options Indexes FollowSymLinks ExecCGI
DirectoryIndex index.php index.cgi
SSLOptions FakeBasicAuth ExportCertData CompatEnvVars
StrictRequire StdEnvVars OptRenegotiate
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 4
SSLRequire ( \
%{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \
%{SSL_CLIENT_I_DN_CN} eq my CA )
AuthzLDAPEngine on
AuthzLDAPAuthoritative on
AuthzLDAPServer localhost:389
AuthzLDAPBindDN
cn=manager,dc=mydomain,dc=com
AuthzLDAPBindPassword terriblysecret
AuthzLDAPUseCertificate on
AuthzLDAPSetAuthorization on
AuthzLDAPUseSerial on
AuthzLDAPMapBase
ou=AuthzLDAPCertmap,dc=mydomain,dc=com
AuthzLDAPMapScope subtree
AuthzLDAPLogLevel warn
AuthzLDAPCacheConnectionoff
AuthzLDAPCacheSize 0
AuthNameAuthzLDAP
AuthTypeBasic
/Directory
and with the following require in .htaccess of the same directory:
require user CN=Jan-Piet [EMAIL PROTECTED]
GET operations always work perfectly (BTW almost all resources
are .PHP).
Once in a while a POST method is attempted which then
sometimes fails (not
always). When it has failed, subsequent GET methods on
different pages do
not work either. After a certain time which always differs,
the GET will work
and the following POST also.
I've tried changing SSLSessionCache to `shm' and SSLMutex to
`sem' thinking
it had something to do with it, but to no avail. The value of
SSLSessionCacheTimeout
doesn't seem to matter either.
At the time of the failure, the logs have this in them:
error_log:
[Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43
(Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b PHP/4.2.3 configured --
resuming normal operations
[Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation
in conjunction with POST method not supported!
hint: try SSLOptions +OptRenegotiate
access_log:
10.0.0.1 - - [17/Dec/2002:15:48:08 +0100] POST
/ca/ra/upd.php HTTP/1.1 405 312
10.0.0.1 - - [17/Dec/2002:15:48:28 +0100] GET
/ca/ra/req.php HTTP/1.1 403 292
10.0.0.1 - CN=Jan-Piet [EMAIL PROTECTED]
[17/Dec/2002:15:49:21 +0100] GET /ca/ra/req.php HTTP/1.1 200 4936
ssl_request_log:
[17/Dec/2002:15:48:08 +0100] 10.0.0.1 TLSv1 RC4-MD5
POST /ca/ra/upd.php HTTP/1.1 312 s_dn=-, issuer=-
The clients are a mixture of Mozilla 1.2 and Internet
Explorer 6.0 all
with a client cert issued by my CA. The issue affects both
clients (Netscape
4.5 shows the same)
Can someone help me resolve this, please ?
Thank you very much.
Regards,
-JP
_
_
Apache Interface to OpenSSL (mod_ssl
RE: POST with mod_ssl intermittently fails with a 405
Oops. I meant to say that you should have memory_limit twice
upload_max_filesize. I've had problem when they've both been the same.
John
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: 17 December 2002 16:50
To: [EMAIL PROTECTED]
Subject: RE: POST with mod_ssl intermittently fails with a 405
I've upgraded to 0.9.6h and recompiled Apache. No change.
Still get the
hint in the error_log. Any other ideas ?
-JP
On Tue, 17 Dec 2002, Boyle Owen wrote:
Your openSSL libs are a bit old - there have been many
important code
updates since 0.9.6b. In particular, the most recent update (0.9.6h)
fixed race condition bugs that were causing intermittent
failures. Try
an upgrade first, I would advise...
Rgds,
Owen Boyle
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: Dienstag, 17. Dezember 2002 16:07
To: [EMAIL PROTECTED]
Subject: POST with mod_ssl intermittently fails with a 405
Hello,
I've got an self-built Apache on a RedHat 7.3 Linux box with
Apache/2.0.43,
mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and mod_authzldap 0.22
Every so often a PHP page is called with a POST request to
send data to the
server. The whole server area is protected via the following
settings in
ssl.conf:
Directory /var/www/html/ca
Options Indexes FollowSymLinks ExecCGI
DirectoryIndex index.php index.cgi
SSLOptions FakeBasicAuth ExportCertData CompatEnvVars
StrictRequire StdEnvVars OptRenegotiate
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 4
SSLRequire ( \
%{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \
%{SSL_CLIENT_I_DN_CN} eq my CA )
AuthzLDAPEngine on
AuthzLDAPAuthoritative on
AuthzLDAPServer localhost:389
AuthzLDAPBindDN
cn=manager,dc=mydomain,dc=com
AuthzLDAPBindPassword terriblysecret
AuthzLDAPUseCertificate on
AuthzLDAPSetAuthorization on
AuthzLDAPUseSerial on
AuthzLDAPMapBase
ou=AuthzLDAPCertmap,dc=mydomain,dc=com
AuthzLDAPMapScope subtree
AuthzLDAPLogLevel warn
AuthzLDAPCacheConnectionoff
AuthzLDAPCacheSize 0
AuthNameAuthzLDAP
AuthTypeBasic
/Directory
and with the following require in .htaccess of the same directory:
require user CN=Jan-Piet [EMAIL PROTECTED]
GET operations always work perfectly (BTW almost all resources
are .PHP).
Once in a while a POST method is attempted which then
sometimes fails (not
always). When it has failed, subsequent GET methods on
different pages do
not work either. After a certain time which always differs,
the GET will work
and the following POST also.
I've tried changing SSLSessionCache to `shm' and SSLMutex to
`sem' thinking
it had something to do with it, but to no avail. The value of
SSLSessionCacheTimeout
doesn't seem to matter either.
At the time of the failure, the logs have this in them:
error_log:
[Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43
(Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b PHP/4.2.3 configured --
resuming normal operations
[Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation
in conjunction with POST method not supported!
hint: try SSLOptions +OptRenegotiate
access_log:
10.0.0.1 - - [17/Dec/2002:15:48:08 +0100] POST
/ca/ra/upd.php HTTP/1.1 405 312
10.0.0.1 - - [17/Dec/2002:15:48:28 +0100] GET
/ca/ra/req.php HTTP/1.1 403 292
10.0.0.1 - CN=Jan-Piet [EMAIL PROTECTED]
[17/Dec/2002:15:49:21 +0100] GET /ca/ra/req.php HTTP/1.1 200 4936
ssl_request_log:
[17/Dec/2002:15:48:08 +0100] 10.0.0.1 TLSv1 RC4-MD5
POST /ca/ra/upd.php HTTP/1.1 312 s_dn=-, issuer=-
The clients are a mixture of Mozilla 1.2 and Internet
Explorer 6.0 all
with a client cert issued by my CA. The issue affects both
clients (Netscape
4.5 shows the same)
Can someone help me resolve this, please ?
Thank you very much.
Regards,
-JP
_
_
Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED]
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any
mistransmission.
If you receive this message in error, please notify the
sender urgently
and then immediately delete the message and any copies of
it from
RE: POST with mod_ssl intermittently fails with a 405
I've got an upload_max_filesize = 2M and a memory_limit = 8M and I'm POSTing
10 fields of about 20 characters each! I'm using POST because there will
later be a file attached, but at the moment there isn't. So it can't really
be that, can it ?
-JP
On Tue, 17 Dec 2002, [EMAIL PROTECTED] wrote:
Oops. I meant to say that you should have memory_limit twice
upload_max_filesize. I've had problem when they've both been the same.
John
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: 17 December 2002 16:50
To: [EMAIL PROTECTED]
Subject: RE: POST with mod_ssl intermittently fails with a 405
I've upgraded to 0.9.6h and recompiled Apache. No change.
Still get the
hint in the error_log. Any other ideas ?
-JP
On Tue, 17 Dec 2002, Boyle Owen wrote:
Your openSSL libs are a bit old - there have been many
important code
updates since 0.9.6b. In particular, the most recent update (0.9.6h)
fixed race condition bugs that were causing intermittent
failures. Try
an upgrade first, I would advise...
Rgds,
Owen Boyle
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: Dienstag, 17. Dezember 2002 16:07
To: [EMAIL PROTECTED]
Subject: POST with mod_ssl intermittently fails with a 405
Hello,
I've got an self-built Apache on a RedHat 7.3 Linux box with
Apache/2.0.43,
mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and mod_authzldap 0.22
Every so often a PHP page is called with a POST request to
send data to the
server. The whole server area is protected via the following
settings in
ssl.conf:
Directory /var/www/html/ca
Options Indexes FollowSymLinks ExecCGI
DirectoryIndex index.php index.cgi
SSLOptions FakeBasicAuth ExportCertData CompatEnvVars
StrictRequire StdEnvVars OptRenegotiate
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 4
SSLRequire ( \
%{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \
%{SSL_CLIENT_I_DN_CN} eq my CA )
AuthzLDAPEngine on
AuthzLDAPAuthoritative on
AuthzLDAPServer localhost:389
AuthzLDAPBindDN
cn=manager,dc=mydomain,dc=com
AuthzLDAPBindPassword terriblysecret
AuthzLDAPUseCertificate on
AuthzLDAPSetAuthorization on
AuthzLDAPUseSerial on
AuthzLDAPMapBase
ou=AuthzLDAPCertmap,dc=mydomain,dc=com
AuthzLDAPMapScope subtree
AuthzLDAPLogLevel warn
AuthzLDAPCacheConnectionoff
AuthzLDAPCacheSize 0
AuthNameAuthzLDAP
AuthTypeBasic
/Directory
and with the following require in .htaccess of the same directory:
require user CN=Jan-Piet [EMAIL PROTECTED]
GET operations always work perfectly (BTW almost all resources
are .PHP).
Once in a while a POST method is attempted which then
sometimes fails (not
always). When it has failed, subsequent GET methods on
different pages do
not work either. After a certain time which always differs,
the GET will work
and the following POST also.
I've tried changing SSLSessionCache to `shm' and SSLMutex to
`sem' thinking
it had something to do with it, but to no avail. The value of
SSLSessionCacheTimeout
doesn't seem to matter either.
At the time of the failure, the logs have this in them:
error_log:
[Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43
(Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b PHP/4.2.3 configured --
resuming normal operations
[Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation
in conjunction with POST method not supported!
hint: try SSLOptions +OptRenegotiate
access_log:
10.0.0.1 - - [17/Dec/2002:15:48:08 +0100] POST
/ca/ra/upd.php HTTP/1.1 405 312
10.0.0.1 - - [17/Dec/2002:15:48:28 +0100] GET
/ca/ra/req.php HTTP/1.1 403 292
10.0.0.1 - CN=Jan-Piet [EMAIL PROTECTED]
[17/Dec/2002:15:49:21 +0100] GET /ca/ra/req.php HTTP/1.1 200 4936
ssl_request_log:
[17/Dec/2002:15:48:08 +0100] 10.0.0.1 TLSv1 RC4-MD5
POST /ca/ra/upd.php HTTP/1.1 312 s_dn=-, issuer=-
The clients are a mixture of Mozilla 1.2 and Internet
Explorer 6.0 all
with a client cert issued by my CA. The issue affects both
clients (Netscape
4.5 shows the same)
Can someone help me resolve this, please ?
Thank you very much.
Regards,
-JP
_
_
Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED]
This message
Mod_ssl and apache 2.0.40
Hello,
I install on a PC linux redhat 8.0 a web server apache 2.0.40 and mod ssl
0.9.6b (configuration include in redhat 8.0)
I want to access a directory of my site with ssl. The directory site pages
have been written in html without ssl.
To avoid the rewritting of all pages, I try to put the following directives
in /etc/httpd/conf.d/ssl.conf
Location /test
RewriteEngineon
RewriteCond %{HTTPS} !=on
RewriteRule ^/home/httpd/html/telechargement/(.*)$
https://%{SERVER_NAME}/telechargement/$1 [R,L]
/Location
If I test http://machine.site/telechargement/fichier.html. The server
permanently loops .
I obtain the following messages in ssl_access_log :
143.196.30.134 - - [10/Dec/2002:11:00:22 +0100] GET /test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET /test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET /test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET /test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET /test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET /test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET /test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET /test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET /test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET /test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET /test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET /test/compteftp.doc
HTTP/1.1 302 295
I read a lot of archives of the mail and the faq of apache. I have seen
that a lot of solutions for this matter has been
found with apache 1.3.*. So i compile apache_1.3.27 with mod-ssl_2.8.12 on
the same PC. I test this server with the same config and it works fine.
Does anyone know where the problem is?
Regards
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
mod_ssl Project Environment Migrated
Just for your information: the Apache mod_ssl project environment was migrated to a new location. In case of any problems, contact me. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl Project Environment Migrated
On Sun, Dec 15, 2002 at 09:41:11AM +0100, Ralf S. Engelschall wrote: Just for your information: the Apache mod_ssl project environment was migrated to a new location. In case of any problems, contact me. It seems that cvs is broken - http://www.modssl.org/source/cvs/ and the docs taken from the sorce - like http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL both result in Internal Server Error. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl Project Environment Migrated
On Sun, Dec 15, 2002, Mads Toftum wrote: On Sun, Dec 15, 2002 at 09:41:11AM +0100, Ralf S. Engelschall wrote: Just for your information: the Apache mod_ssl project environment was migrated to a new location. In case of any problems, contact me. It seems that cvs is broken - http://www.modssl.org/source/cvs/ and the docs taken from the sorce - like http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL both result in Internal Server Error. Ops, yes, of course. Because there is no more active development on mod_ssl for Apache 1.3, the CVS environment is no longer provided publically (because there would be no interesting things to monitor at all) and hence the new public project environment has no CVS setup. So, CVS related things are now gone from the website. Just my fault in forgetting to synchronize the website. Now fixed. Thanks for the hint. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl Project Environment Migrated
On Sun, 15 Dec 2002, Ralf S. Engelschall wrote: On Sun, Dec 15, 2002, Mads Toftum wrote: On Sun, Dec 15, 2002 at 09:41:11AM +0100, Ralf S. Engelschall wrote: Just for your information: the Apache mod_ssl project environment was migrated to a new location. In case of any problems, contact me. It seems that cvs is broken - http://www.modssl.org/source/cvs/ and the docs taken from the sorce - like http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL both result in Internal Server Error. Ops, yes, of course. Because there is no more active development on mod_ssl for Apache 1.3, the CVS environment is no longer provided publically (because there would be no interesting things to monitor at all) and hence the new public project environment has no CVS setup. So, CVS related things are now gone from the website. Just my fault in forgetting to synchronize the website. Now fixed. Thanks for the hint. Ralf, does this imply there are to be no more apache 1.3 developement or version updates, thus modssl is now moving entirely into the source for apache 2.0? Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl Project Environment Migrated
In article [EMAIL PROTECTED] you wrote: Just for your information: the Apache mod_ssl project environment was migrated to a new location. In case of any problems, contact me. It seems that cvs is broken - http://www.modssl.org/source/cvs/ and the docs taken from the sorce - like http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL both result in Internal Server Error. Ops, yes, of course. Because there is no more active development on mod_ssl for Apache 1.3, the CVS environment is no longer provided publically (because there would be no interesting things to monitor at all) and hence the new public project environment has no CVS setup. So, CVS related things are now gone from the website. Just my fault in forgetting to synchronize the website. Now fixed. Thanks for the hint. does this imply there are to be no more apache 1.3 developement or version updates, thus modssl is now moving entirely into the source for apache 2.0? Err... mod_ssl already _IS_ included in the official Apache 2 source tree... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
problems after upgrading mod_ssl and apache..
Hiya Yesterday we upgraded on of our http servers from apache 1.3.26 to 1.3.27 with the equalent version of mod_ssl. root@nextgeneration:/usr/src/other/php# /usr/local/apache/bin/apachectl startssl Apache/1.3.27 mod_ssl/2.8.12 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server ssl.reroute.set:443 (RSA) Enter pass phrase: Ok: Pass Phrase Dialog successful. /usr/local/apache/bin/apachectl startssl: httpd started Syntax error on line 524 of /usr/local/apache/conf/httpd.conf: Invalid command 'SSLEngine', perhaps mis-spelled or defined by a module not included in the server configuration And then the server dies... anyone know where to start looking..? Mvh/Best regards, Arnvid L. Karstad __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl in apache 2.X
For mod_ssl on Apache 2.0 you may want to check also the secure server chapter I have online, which contains step by step instructions http://www.apacheworld.org/ty24/ Best regards Daniel Hi! Im not here to quarrel with you kid. Im here to get some help, and your insults are not helping very much. I thought this was the modssl-users list for people with not-so-much-expert-knowledge and not the linux-experts-with-nolife mailinglist. Im working under time pressure and cannot afford reading old documentation all day and then guess how the latter versions work (but of course I have read most of the old documentation anyway...). If I understand the example below I could rewrite it: CC=pgcc CFLAGS=-O2 \ ./configure --prefix=/sw/pkg/apache \ --enable-ssl=shared ? ... and load mod_ssl.so dynamically with Loadmodule latter on? Right? (Of course its right.. ;) ) Now you have to do some work on your own, you can't expect others to do it all for you and remain lazy. You call me lazy and think you know me after one email, that's cute. ;) I was asking a question and not hiring you or anybody else for a job. You even didnt have to answer. Im not demanding anything. (This is the first time I ask a usergroup a question at all, silly.) The new apache is not the best as far as documentation concerns, certainly not up to the documentation that the older apache with or without mod-ssl integration, but, there is info to be gleened, if one looks Right, I and other developers still havnt all day, thats why it exists user-groups to ask someone who already knows and perhaps have some time over for an clear answer. If I had some time over myself I would be happy to contribute with some quick-start-(dummy)-tutorials, because it's needed. Setting up Apache2 with SSL must be one of the most common configurations... Perhaps I will contribute in not-so-distance-future. ;) Regards /Johan -Original Message- From: R. DuFresne [mailto:[EMAIL PROTECTED]] Sent: den 4 december 2002 16:53 To: Johan Bryssling Cc: [EMAIL PROTECTED] Subject: Re: Mod_ssl in apache 2.X Didn't read any of the documentation in that tarball did ya? INSTALL [SNIP] For a short impression of what possibilities you have, here is a typical example which configures Apache for the installation tree /sw/pkg/apache with a particular compiler and flags plus the two additional modules mod_rewrite and mod_speling for later loading through the DSO mechanism: $ CC=pgcc CFLAGS=-O2 \ ./configure --prefix=/sw/pkg/apache \ --enable-rewrite=shared \ --enable-speling=shared The easiest way to find all of the configuration flags for Apache 2.0 is to run ./configure --help. [SNIP] The new apache is not the best as far as documentation concerns, certainly not up to the documentation that the older apache with or without mod-ssl integration, but, there is info to be gleened, if one looks. How about the apache web pages, read that at all? Now you have to do some work on your own, you can't expect others to do it all for you and remain lazy. Thanks, Ron DuFresne On Wed, 4 Dec 2002, Johan Bryssling wrote: Hi! I have a couple of questions: If mod_ssl is included in apache2.x why doesnt it show up in the modulelist when I use: % httpd -l ? If it's not included when I default compile (using the INSTALL-file instructions), how do I know how to compile in the mod_ssl into the apache (if this is my first time)? Where do I find information about these things, I certanly dont install apache at a regulary basis.. ;-) I noted a default config file for SSL (I also found an include into the httpd.config-file) and used the command: %httpd -DSSL -k start .. but it(apache) couldnt find the mod_ssl.. Why? If it's included I shouldnt bother or?... Something I missed? All help will be appricated. Thanks... /Johan ps. Thinking of using Apache 1.3.7 instead due to the extended source of good documentation... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl
Re: mod_ssl mod_proxy
Hello... On Thu, 2002-12-05 at 10:12, HMajidy wrote: This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the communitys help in resolving it. Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. From what I see, you don't have a proxypass directive, ala: ProxyPass/foohttp://cruella.pricegrabber.com/foo ProxyPassReverse /foohttp://cruella.pricegrabber.com/foo Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Heres the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c IfModule mod_proxy.c ProxyRequests off NoCache * AllowCONNECT 443,80 Directory / Order Allow,Deny Allow from All /Directory ProxyRemote * http://1.2.3.4:85 /IfModule NameVirtualHost * Listen *:443 VirtualHost _default_:443 SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log /VirtualHost Listen *:80 VirtualHost *:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log /VirtualHost Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid. PS. Please reply to [EMAIL PROTECTED] as well as to this list. -- Christopher McCrory [EMAIL PROTECTED] Pricegrabber __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl mod_proxy
oh my God i have the exactly the same problem ... the only diference is that my autentication is on Ldap directory in the internal net when a click on link http://host.myinternalnet.com nothing hapen only the loop and the apache dont get a request im sniffing the interfaces but the request dont send ok. any people can help us ??? thanks Alexandre HMajidy wrote: This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the community?s help in resolving it. ?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Here?s the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c IfModule mod_proxy.c> ProxyRequests off NoCache * AllowCONNECT 443,80 Directory /> Order Allow,Deny Allow from All /Directory> ProxyRemote * http://1.2.3.4:85 /IfModule> NameVirtualHost * Listen *:443 VirtualHost _default_:443> SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log /VirtualHost> Listen *:80 VirtualHost *:80> ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log /VirtualHost> Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid. PS. Please reply to [EMAIL PROTECTED] as well as to this list. begin:vcard n:da Silva Augusto;Alexandre x-mozilla-html:FALSE org:Secretaria de Estado dos Negocios da Fazenda;DTI - Departamento de Tecnologia da Informacao adr:;; version:2.1 email;internet:[EMAIL PROTECTED] title:Administrador de Sistemas Unix x-mozilla-cpt:;3424 fn:Alexandre da Silva Augusto end:vcard
RE: mod_ssl mod_proxy
Apache does get the requests in my case, as verified in log files created by CustomLog /usr/local/apache/logs/referer_log refererCustomLog /usr/local/apache/logs/agent_log agent in httpd.conf. BTW, my LDAP authentication is handled by the internal (iPlanet) web server. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of AlexandreSent: Thursday, December 05, 2002 8:53 AMTo: [EMAIL PROTECTED]Subject: Re: mod_ssl mod_proxyoh my God i have the exactly the same problem ... the only diference is that my autentication is on Ldap directory in the internal net when a click on link http://host.myinternalnet.com nothing hapen only the loop and the apache dont get a request im sniffing the interfaces but the request dont send ok. any people can help us ??? thanks Alexandre HMajidy wrote: This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the community?s help in resolving it. ?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" / Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Here?s the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c IfModule mod_proxy.c ProxyRequests off NoCache * AllowCONNECT 443,80 Directory / Order Allow,Deny Allow from All /Directory ProxyRemote * http://1.2.3.4:85 /IfModule NameVirtualHost * Listen *:443 VirtualHost _default_:443 SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log /VirtualHost Listen *:80 VirtualHost *:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log /VirtualHost Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid. PS. Please reply to [EMAIL PROTECTED] as well as to this list.
RE: Mod_ssl in apache 2.X
Here is a config for Solaris 8, gcc 3.1, Apache 2.x - multithreaded with SSL - I had no issues with this and am not an expert on Linuz by any means. Perhaps this might help. If not delete it. #!/bin/ksh PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin LD_LIBRARY_PATH=/usr/local/lib:/usr/local/ssl/lib:/usr/lib export PATH LD_LIBRARY_PATH SSL_BASE=/usr/local/ssl \ LIBS=/usr/lib/libC.so.5 \ CFLAGS=-fPIC \ ./configure --prefix=/opt/apache \ --enable-ssl \ --with-ssl=/usr/local/ssl/ \ --enable-so \ --with-mpm=worker \ --enable-deflate David S. Loesche [EMAIL PROTECTED] Yipes Enterprise Services, Inc. Main: (415) 901-2000 114 Sansome Street, Suite 1045 Direct: (415) 901-2210 San Francisco, CA 94104 Fax:(415) 901-2201 http://www.yipes.com Yipes is the defining provider of fully scalable bandwidth for businesses. We offer fully managed high-speed Internet and Nationwide LAN-to-LAN services at speeds ranging from 1 Mbps to 1 Gbps, in 1 Mbps increments. Yipes delivers this uniquely flexible service over the first nationwide system of optical IP networks. -Original Message- From: Johan Bryssling [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 05, 2002 2:39 AM Cc: [EMAIL PROTECTED] Subject: RE: Mod_ssl in apache 2.X Hi! Im not here to quarrel with you kid. Im here to get some help, and your insults are not helping very much. I thought this was the modssl-users list for people with not-so-much-expert-knowledge and not the linux-experts-with-nolife mailinglist. Im working under time pressure and cannot afford reading old documentation all day and then guess how the latter versions work (but of course I have read most of the old documentation anyway...). If I understand the example below I could rewrite it: CC=pgcc CFLAGS=-O2 \ ./configure --prefix=/sw/pkg/apache \ --enable-ssl=shared ? ... and load mod_ssl.so dynamically with Loadmodule latter on? Right? (Of course its right.. ;) ) Now you have to do some work on your own, you can't expect others to do it all for you and remain lazy. You call me lazy and think you know me after one email, that's cute. ;) I was asking a question and not hiring you or anybody else for a job. You even didnt have to answer. Im not demanding anything. (This is the first time I ask a usergroup a question at all, silly.) The new apache is not the best as far as documentation concerns, certainly not up to the documentation that the older apache with or without mod-ssl integration, but, there is info to be gleened, if one looks Right, I and other developers still havnt all day, thats why it exists user-groups to ask someone who already knows and perhaps have some time over for an clear answer. If I had some time over myself I would be happy to contribute with some quick-start-(dummy)-tutorials, because it's needed. Setting up Apache2 with SSL must be one of the most common configurations... Perhaps I will contribute in not-so-distance-future. ;) Regards /Johan -Original Message- From: R. DuFresne [mailto:[EMAIL PROTECTED]] Sent: den 4 december 2002 16:53 To: Johan Bryssling Cc: [EMAIL PROTECTED] Subject: Re: Mod_ssl in apache 2.X Didn't read any of the documentation in that tarball did ya? INSTALL [SNIP] For a short impression of what possibilities you have, here is a typical example which configures Apache for the installation tree /sw/pkg/apache with a particular compiler and flags plus the two additional modules mod_rewrite and mod_speling for later loading through the DSO mechanism: $ CC=pgcc CFLAGS=-O2 \ ./configure --prefix=/sw/pkg/apache \ --enable-rewrite=shared \ --enable-speling=shared The easiest way to find all of the configuration flags for Apache 2.0 is to run ./configure --help. [SNIP] The new apache is not the best as far as documentation concerns, certainly not up to the documentation that the older apache with or without mod-ssl integration, but, there is info to be gleened, if one looks. How about the apache web pages, read that at all? Now you have to do some work on your own, you can't expect others to do it all for you and remain lazy. Thanks, Ron DuFresne On Wed, 4 Dec 2002, Johan Bryssling wrote: Hi! I have a couple of questions: If mod_ssl is included in apache2.x why doesnt it show up in the modulelist when I use: % httpd -l ? If it's not included when I default compile (using the INSTALL-file instructions), how do I know how to compile in the mod_ssl into the apache (if this is my first time)? Where do I find information about these things, I certanly dont install apache at a regulary basis.. ;-) I noted a default config file for SSL (I also found an include into the httpd.config-file) and used the command: %httpd -DSSL -k start .. but it(apache
mod_ssl mod_proxy
This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the communitys help in resolving it. Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Heres the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c IfModule mod_proxy.c ProxyRequests off NoCache * AllowCONNECT 443,80 Directory / Order Allow,Deny Allow from All /Directory ProxyRemote * http://1.2.3.4:85 /IfModule NameVirtualHost * Listen *:443 VirtualHost _default_:443 SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log /VirtualHost Listen *:80 VirtualHost *:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log /VirtualHost Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid.
Re: mod_ssl and mod_jk (Win32)
Answering my own question in case anyone else ever encounters this: Modify Tomcat's server.xml specifying scheme=https (rather than scheme=http) for the Connector used to wire Apache and Tomcat. Paul Christmann wrote: Environment: Running Apache 2.0.43/OpenSSL 9.6.g as downloaded from hunter.campbus.com and mod_jk 1.2.1 for build 2.0.43 from jakarta. Problem: When I access the URL https://localhost/app, I *hope* to get the contents of index.html (i.e., https://localhost/app/index.html). Instead, my browser (Mozilla 1.0) reports a Bad Request error, indicating that there was a protocol error in accessing the URL http://localhost:443/app/index.html;. Of course there will be a protocol error -- using http to talk to the https port! Any ideas where that error might come from? I assume its something happening with a redirect in Tomcat. FWIW: Each of the following URLs work fine (right now, I have Apache configured to take all connections either from http or https and forward to Tomcat): + http://localhost/app + http://localhost/app/index.html + https://localhost/app/index.html Its only the https://localhost/app URL that's failing. Thanks for any assistance, Paul Christmann __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Mod_ssl in apache 2.X
Hi! I have a couple of questions: If mod_ssl is included in apache2.x why doesnt it show up in the modulelist when I use: % httpd -l ? If it's not included when I default compile (using the INSTALL-file instructions), how do I know how to compile in the mod_ssl into the apache (if this is my first time)? Where do I find information about these things, I certanly dont install apache at a regulary basis.. ;-) I noted a default config file for SSL (I also found an include into the httpd.config-file) and used the command: %httpd -DSSL -k start .. but it(apache) couldnt find the mod_ssl.. Why? If it's included I shouldnt bother or?... Something I missed? All help will be appricated. Thanks... /Johan ps. Thinking of using Apache 1.3.7 instead due to the extended source of good documentation... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl in apache 2.X
Didn't read any of the documentation in that tarball did ya? INSTALL [SNIP] For a short impression of what possibilities you have, here is a typical example which configures Apache for the installation tree /sw/pkg/apache with a particular compiler and flags plus the two additional modules mod_rewrite and mod_speling for later loading through the DSO mechanism: $ CC=pgcc CFLAGS=-O2 \ ./configure --prefix=/sw/pkg/apache \ --enable-rewrite=shared \ --enable-speling=shared The easiest way to find all of the configuration flags for Apache 2.0 is to run ./configure --help. [SNIP] The new apache is not the best as far as documentation concerns, certainly not up to the documentation that the older apache with or without mod-ssl integration, but, there is info to be gleened, if one looks. How about the apache web pages, read that at all? Now you have to do some work on your own, you can't expect others to do it all for you and remain lazy. Thanks, Ron DuFresne On Wed, 4 Dec 2002, Johan Bryssling wrote: Hi! I have a couple of questions: If mod_ssl is included in apache2.x why doesnt it show up in the modulelist when I use: % httpd -l ? If it's not included when I default compile (using the INSTALL-file instructions), how do I know how to compile in the mod_ssl into the apache (if this is my first time)? Where do I find information about these things, I certanly dont install apache at a regulary basis.. ;-) I noted a default config file for SSL (I also found an include into the httpd.config-file) and used the command: %httpd -DSSL -k start .. but it(apache) couldnt find the mod_ssl.. Why? If it's included I shouldnt bother or?... Something I missed? All help will be appricated. Thanks... /Johan ps. Thinking of using Apache 1.3.7 instead due to the extended source of good documentation... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
can´t configure mod_ssl
Hey guys, Can someone explain me how configure mod_ssl on apchache web server? I have installed apache with mod_ssl on a red hat 7.3 thanks
Solaris 7 8: Problem and solution with mod_ssl and PRNGD when updatingto 1.3.27
Hi folks, I am curently updating all my apache server to the newest version of apache/mod_ssl/openssl, at least I tried until I found the solution. I get an error when starting the freshly compiled apache 1.3.27 with config from 1.3.26: [Fri Nov 22 11:56:43 2002] [error] mod_ssl: Init: Failed to generate temporary 5 12 bit RSA private key (OpenSSL library error follows) [Fri Nov 22 11:56:43 2002] [error] OpenSSL: error:24064064:random number generat or:SSLEAY_RAND_BYTES:PRNG not seeded [Fri Nov 22 11:56:43 2002] [error] OpenSSL: error:04069003:rsa routines:RSA_gene rate_key:BN lib I know this is because under Solaris9 there is no /dev/(u)random. So I use the prngd daemon by Lutz Jaenicke since ever. My working configuration in httpd.conf from version 1.3.26/2.8.10 is: SSLRandomSeed startup egd:/etc/egd-pool SSLRandomSeed connect egd:/etc/egd-pool But this does not work with 1.3.27/2.8.12 obviously. The solution is appendig the bytes you wish to get from prngd: SSLRandomSeed startup egd:/etc/egd-pool 512 SSLRandomSeed connect egd:/etc/egd-pool 512 As far as I searched this is not documented. Please can anyone insert this into the documentation chapter 3? Thanks and regards Alex Kuehne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: can´t configure mod_ssl
Have you tried? Post your attempted config directives and describe what happened or went wrong and I'm sure someone will respond. -Original Message- From: Gilberto Garcia Jr. [mailto:[EMAIL PROTECTED]] Sent: Freitag, 22. November 2002 13:12 To: mod ssl Subject: can´t configure mod_ssl Hey guys, Can someone explain me how configure mod_ssl on apchache web server? I have installed apache with mod_ssl on a red hat 7.3 thanks This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
can´t configure mod_ssl
Yes, i´ve tried. I followed a lot of tutorials. i create one certificade at all. But weh i tried $curl https://127.0.0.1/ i got an error. and in most of tutorials i saw httpsd start command, and httpdctl startssl command. but i didint find both of executables om my server. thanks
RE: can´t configure mod_ssl
You have to describe clearly what you did. - Post the extract of httpd.conf which defines your SSL virtual host - cut'n'paste the command you are using to start apache in SSL - post the *exact* error you receive - post any messages which appear in the ssl_engine_log and/or error_log Then we might be able to help. -Original Message- From: Gilberto Garcia Jr. [mailto:[EMAIL PROTECTED]] Sent: Freitag, 22. November 2002 15:43 To: mod ssl Subject: can´t configure mod_ssl Yes, i´ve tried. I followed a lot of tutorials. i create one certificade at all. But weh i tried $curl https://127.0.0.1/ i got an error. and in most of tutorials i saw httpsd start command, and httpdctl startssl command. but i didint find both of executables om my server. thanks This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: can´t configure mod_ssl
Que tal Gilberto,
Hay te va.
Saludos
Julio Mejia
TELNOR
Tijuana-Baja California-México.
DESCRIPCION: Pasos para instalar Apache 1.3.19 con ModSSL 2.8.1 para
Apache 1.3.19.
Paso 1: Tener previamente instalado el compilador de C (GNUgcc 2.95.2)
http://intranet.telnor.com/netshare/Sistemas/Tecnologia/TecnologiaT/Knowledge/jume/Inst_GNUgcc2_95_2_Sol.html,
y la utileria make (GNUmake 2.78.1)
http://intranet.telnor.com/netshare/Sistemas/Tecnologia/TecnologiaT/Knowledge/jume/Inst_GNUmake3_78_1_Sol.html
de GNU, además Perl 5.6.0
http://intranet.telnor.com/netshare/Sistemas/Tecnologia/TecnologiaT/Knowledge/jume/Inst_Perl5_6_Sol.html,
el JDK 1.3
http://intranet.telnor.com/netshare/Sistemas/Tecnologia/TecnologiaT/Knowledge/jume/Inst_JDK1.3_Sol.html,
OpenSSL 0.9.6
http://intranet.telnor.com/netshare/Sistemas/Tecnologia/TecnologiaT/Knowledge/jume/Inst_OpenSSL0_9_6_Sol.html
(puedes buscar la versión más nueva de ModSSL enwww.modssl.org
http://www.modssl.org) y las bibliotecas de memoria virtual MM 1.1.3.
http://intranet.telnor.com/netshare/Sistemas/Tecnologia/TecnologiaT/Knowledge/jume/Inst_MM_1_1_3_Sol.html
Paso 2: Crear el directorio temporal en donde se va a colocar el
software a instalar de modssl y apache.
#mkdir /trayectoria/temp
Paso 3: Copiar el software a instalar a los directorios temporales creados.
#cp mod_ssl-2.8.1-1.3.19.tar /trayectoria/temp
#cp apache_1.3.19.tar /trayectoria/temp
Paso 4: Desempaquetar el software de instalación de ModSSL y Apache.
#cd /trayectoria/temp
#tar -xvf mod_ssl-2.8.1-1.3.19.tar
#cd /trayectoria/temp
#tar -xvf apache_1.3.19.tar
Paso 5: Crear el directorio en donde se va a instalar el Apache.
#cd /usr/local
#mkdir apache
Paso 6: Introducir las siguientes variables de ambiente en el archivo
.profile bajo root /, si el archivo no existe crearlo
# vi .profile
#
# @(#)local.profile 1.6 98/02/06 SMI
#
stty istrip
PATH=.:/usr/local/bin:/usr/java/bin:/bin:/usr/ccs/bin:/usr/local/ssl/bin:/usr/local/apache/bin:$PATH
LD_LIBRARY_PATH=/usr/local/lib:/lib:/usr/lib:/usr/local/ssl/lib:$LD_LIBRARY_PATH
MANPATH=/usr/local/man:/usr/man:$MANPATH
CLASSPATH=/opt/JSDK2.0/lib/jsdk.jar
JAVA_HOME=/usr/java
export PATH LD_LIBRARY_PATH MANPATH CLASSPATH JAVA_HOME
#
# If possible, start the windows system
#
if [ `tty` = /dev/console ] ; then
if [ $TERM = sun -o $TERM = AT386 ] ; then
if [ ${OPENWINHOME:-} = ] ; then
OPENWINHOME=/usr/openwin
export OPENWINHOME
fi
echo
echo Starting OpenWindows in 5 seconds (type Control-C
to interrupt)
sleep 5
echo
$OPENWINHOME/bin/openwin
clear # get rid of annoying cursor rectangle
exit # logout after leaving windows system
fi
fi
Paso 7: El archivo de configuración de modssl va a instalar el modulo de
SSL en Apache y lo va a instalar, por lo consecuente ejecutar el
siguiente comando de instalación desde modssl.
#cd /trayectoria/temp/mod_ssl-2.8.1-1.3.19
#./configure --with-apache=../apache_1.3.19 --with-ssl=../opensll-0.9.6
--with-mm=../mm-1.1.3 --prefix=/usr/local/apache --enable-module=ssl
--enable-module=so --enable-shared=max --enable-rule=SHARED_CORE
--enable-rule=EAPI
#cd /trayectoria/temp/apache_1.3.19
#make
#make certificate TYPE=test
Signature Algorithm ((R)SA or (D)SA) [R]: R
Country Name (2 letter code): MX
State or Province Name (full name): Baja California
Locality Name (eg, City): Tijuana
Organization Name (eg, company): Telefonos del Noroeste S.A. de C.V.
Organizational Unit Name (eg, section): Sistemas
Common Name (eg, FQDN): nombre_maquina.telnor.com
Email Address (eg, name@FQDN mailto:name@FQDN): [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
Certificate Validity (days): 365
Certificate Version (1 or 3): 3
Encrrypt the private key now? [Y/n]: Y
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
#make install
#
Paso 8: Editar el archivo de configuración del apache y levanta el
servidor con ssl.
#cd /usr/local/apache/conf
#vi httpd.conf
configura archivo!!
#cd ../bin
#apachectl startssl
pass phrase:
apache started.
#
Para parar el apache utiliza:
#apachectl stop
#
Gilberto Garcia Jr. wrote:
Hey guys,
Can someone explain me how configure mod_ssl on apchache web server? I
have installed apache with mod_ssl on a red hat 7.3
thanks
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Problem: Mod_SSL and flex -Pssl_expr_yy -s -B ssl_expr_scan.l on Solaris 2.9
I'm attempting to build Apache 1.3.27 on a new Solaris 2.9 system. I am following Option 2 in the INSTALL of the mod_ssl-2.8.12-1.3.27, and I'm stumped. After I configure and make (using gcc) all the required components (Both with and without mm) the make of the Apache server itself stops at: flex -Pssl_expr_yy -s -B ssl_expr_scan.l The CPU jumps to 99%, no error is generated, but this command never finishes. I've let it run for two days now, rebuilt the distribution from scratch, etc. Any suggestions? If I build Apache without the SSL option, it works fine. (No, I can't use Apache 2.0, the modules I will eventually have to link into it aren't yet supported by it) Rich McGee CSU San Bernardino __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: FreeBSD 4.x and Apache+mod_ssl
here are some good certificate howtos hope they help you http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/SSL-Certificates-HOWTO.html#AEN139 -- _ __ ___ ___ ___ ___ Justin Bastedo_ __ ___ | _ ) __| \ [EMAIL PROTECTED] _ __ | _ \._ \ |) | FreeBSD: The Power To Serve _ |___/___/___/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
missing CRL nextUpdate field - Bug in mod_ssl (seg fault)
Hi, When using a CRL without the nextUpdate field (you can create such CRL in iPlanet), I get a segmentation fault (usingmod_ssl-2.8.8-1.3.24). This occurs in the call: i = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl)); since X509_CRL_get_nextUpdate(crl) returns NULL in this situation.
Re: FreeBSD 4.x and Apache+mod_ssl
Marcel, Thanks for the help, but I am either too sleepy or too slow to make this work right. I did these steps from the /usr/ports/www/apache13- modssl/ directory: make make certificate TYPE=custom make install When I do the make install, it automatically writes in the snake oil CA and server cert, which are old and expired. How do I get it to recognize and use my new custom CA and server cert? Thanks again for the help. I am also sending this to freebsd-questions. Ron Clark from /usr/ports/www/apache13-modssl/ run: make certificate TYPE=custom and follow the prompts.. remember to copy them to wherever you're storing the certs apache uses and run make from that dir to update the links... That should do it :) Hope this helps! Marcel On Tuesday 19 November 2002 21:54, Ronnie Clark wrote: Hello all, I am running FreeBSD 4.7 STABLE and just loaded mysql, Apache13+mod_ssl, and mod_php4 from the ports collection. I got php and SSL playing nice together, but I now have a website that is showing an invalid cert. How do I generate my own CA and new server cert signed by that CA in this format? Thanks in advance, Ron Clark __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl- [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- They that give up essential liberty to obtain a little temporary safety... deserve neither safety nor liberty. - Benjamin Franklin(1759) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: FreeBSD 4.x and Apache+mod_ssl
Thanks for the help, but I am either too sleepy or too slow to make this work right. I did these steps from the /usr/ports/www/apache13- modssl/ directory: make make certificate TYPE=custom make install When I do the make install, it automatically writes in the snake oil CA and server cert, which are old and expired. How do I get it to recognize and use my new custom CA and server cert? I'd highly recommend the CA scripts available at ModSSL thusly: http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz - [EMAIL PROTECTED] __ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
FreeBSD 4.x and Apache+mod_ssl
Hello all, I am running FreeBSD 4.7 STABLE and just loaded mysql, Apache13+mod_ssl, and mod_php4 from the ports collection. I got php and SSL playing nice together, but I now have a website that is showing an invalid cert. How do I generate my own CA and new server cert signed by that CA in this format? Thanks in advance, Ron Clark __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: FreeBSD 4.x and Apache+mod_ssl
from /usr/ports/www/apache13-modssl/ run: make certificate TYPE=custom and follow the prompts.. remember to copy them to wherever you're storing the certs apache uses and run make from that dir to update the links... That should do it :) Hope this helps! Marcel On Tuesday 19 November 2002 21:54, Ronnie Clark wrote: Hello all, I am running FreeBSD 4.7 STABLE and just loaded mysql, Apache13+mod_ssl, and mod_php4 from the ports collection. I got php and SSL playing nice together, but I now have a website that is showing an invalid cert. How do I generate my own CA and new server cert signed by that CA in this format? Thanks in advance, Ron Clark __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- They that give up essential liberty to obtain a little temporary safety... deserve neither safety nor liberty. - Benjamin Franklin(1759) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How can I tell if mod_ssl is installed with Apache
These directives: --enable-module=ssl --enable-shared=ssl, made mod-ssl as a loadable module, it's not part of apache's core binary, so look in /webroot/libexec/ for the mdoule you built to load on the httpd.conf file; libssl.so. Additionally, I suggest you read through all the documentation as well, you are mising things like this which are clearly defined there. This is seen also in the fact you issued these directive as well as the ones stated below in the wrong place: --enable-module=rewrite --enable-shared=rewrite --enable-module=proxy --enable-shared=proxy --sysconfdir=/home/.autoserv/apache/conf --htdocsdir=/home/.autoserv/html --cgidir=/home/.autoserv/cgi-bin --sysconfdir=/home/.autoserv/conf --enable-module=ssl --enable-shared=ssl Thanks, Ron DuFresne On Fri, 15 Nov 2002 [EMAIL PROTECTED] wrote: I configured and installed mod_ssl with Apache but it does not seam to be working. When I run the ./httpd -l comand on Apache it does not show that mod_ssl.c is installed in Apache this is a list of every thing that is in there. Should it be in there? http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_so.c mod_setenvif.c This is how I configured and installed mod_ssl 1. cd to mod_ssl directory 2. ran this comand ./configure --with-apache=../apache --with-ssl=../openssl --prefix=/home/.autoserv/apache --target=autohttpd --enable-module=rewrite --enable-shared=rewrite --enable-module=proxy --enable-shared=proxy --sysconfdir=/home/.autoserv/apache/conf --htdocsdir=/home/.autoserv/html --cgidir=/home/.autoserv/cgi-bin --sysconfdir=/home/.autoserv/conf --enable-module=ssl --enable-shared=ssl 3. cd ../apache 4. make 5. make certificate 6. make install -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache + mod_ssl (OpenSSL Error)
On Thu, Nov 14, 2002 at 10:52:00PM +, Manoj Kithany wrote: Hi Experts! I want to INSTALL and CONFIGURE my APACHE 1.3.27 for SSL. I am using IBM AIX box. So, I got mod_ssl from the IBM site and installed it in following way(after READing INSTALL file for 2 hrs;-( #pwd /opt/freeware/src/packages/SOURCES/mod_ssl-2.8.11-1.3.27 So, I finally READ the LOG file error_log and checked it shows: [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib Do you know what this error would be? I have already installed EGD entrophy and is it stored in /dev/egd-pool Any links/pointers on this is appreciated. /dev/egd-pool is only queried automatically starting with OpenSSL 0.9.7. For 0.9.6x you have to enter the appropriate path using the SSLRandomSeed directive in httpd.conf. Details are found in the manual. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problem with mod_ssl 2.8.11
Hi All, I have the following problem with Apache 1.3.27, mod_ssl 2.8.11, open ssl 0.9.6g :- ssl_engine_log:[09/Nov/2002 03:37:56 26451] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:38:07 26426] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:38:19 26447] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:38:28 26435] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:38:37 26451] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:38:49 26426] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:39:00 26504] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:39:11 26451] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:39:20 26426] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:39:30 26435] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:39:40 26451] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:39:51 26426] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:40:01 26447] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:40:10 26435] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:40:22 26451] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:40:32 26426] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:40:41 26447] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:40:51 26435] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:41:01 26451] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:41:12 26426] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:41:21 26447] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:41:33 26435] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:49:21 28526] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:49:31 28527] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:49:41 28532] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:49:51 28530] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:50:02 28526] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:50:12 28527] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:50:23 28531] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] ssl_engine_log:[09/Nov/2002 03:50:33 28532] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] When i observed with netstat -a, the connections are in CLOSE_WAIT state. I observed that so many people posted similar problems on the net. Kindly let me know if any patch available with mod_ssl or any solution for this. Regards, Murali __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 1.3.27 mod_ssl 2.8.12 openssl 0.9.6g Upgrade
Hi, We plan on upgrading to Apache 1.3.27 mod_ssl 2.8.12 openssl 0.9.6g from Apache 1.3.26 mod_ssl 2.8.10 openssl 0.9.6d on Windows. We are considering the following two options: Option A: Download the Apache_1.3.27-Mod_SSL_2.8.12-OpenSSL_0.9.6g-Win32.zip file, upzip it and copy over the files to the current installation directory, overwriting the old files with the new files (excluding the conf and certificate files, etc). Option B: Re-Install Apache 1.3.27 (preserve the config and certificate files during the installation) and then copy over the unzipped files from the above zip file to the installation directory. Which of the above two options is recommended and which one is the best way to upgrade this server on windows. Any advice would be greatly appreciated. Thanks and Regards, Bye, -Jim. _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLRandomFIle Error (Apache-mod_ssl)
Hi: I think I have Apache + mod_ssl on my IBM AIX box. My httpd.conf file contains: --- VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /kit ServerName www.my.server.name ErrorLog logs/log1 SSLRandomFile file /dev/egd-pool 1024 SSLCertificateFile /usr/local/ssl/certs/cert.cer SSLCertificateKeyFile /usr/local/ssl/bin/private.key /VirtualHost --- When I RUN my Apache, I get following Error: --- # ./apachectl startssl Syntax error on line 980 of /kit/conf/httpd.conf: Invalid command 'SSLRandomFile', perhaps mis-spelled or defined by a module not included in the server configuration ./apachectl startssl: httpd could not be started --- Do you know what is the problem? I read the documentation regarding the above since my IBM AIX Box does NOT have /dev/random THANKS! _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.27 mod_ssl 2.8.12 openssl 0.9.6g Upgrade
Small Correction: Read first line of Option B as: Fresh install of Apache 1.3.27 using apache_1.3.27-win32-x86-no_src.msi at the current Apache 1.3.26 installation location. From: Jim Lee [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Apache 1.3.27 mod_ssl 2.8.12 openssl 0.9.6g Upgrade Date: Fri, 15 Nov 2002 20:38:53 + Hi, We plan on upgrading to Apache 1.3.27 mod_ssl 2.8.12 openssl 0.9.6g from Apache 1.3.26 mod_ssl 2.8.10 openssl 0.9.6d on Windows. We are considering the following two options: Option A: Download the Apache_1.3.27-Mod_SSL_2.8.12-OpenSSL_0.9.6g-Win32.zip file, upzip it and copy over the files to the current installation directory, overwriting the old files with the new files (excluding the conf and certificate files, etc). Option B: Re-Install Apache 1.3.27 (preserve the config and certificate files during the installation) and then copy over the unzipped files from the above zip file to the installation directory. Which of the above two options is recommended and which one is the best way to upgrade this server on windows. Any advice would be greatly appreciated. Thanks and Regards, Bye, -Jim. _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLRandomFIle Error (Apache-mod_ssl)
Thanks Lutz: Where to put SSLRandomSeed? Becos I put it in Virtual Host as shown: VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /kit ServerName www.my.server.name ErrorLog logs/log1 #SSLRandomFile file /dev/egd-pool 1024 SSLRandomSeed startup egd:/var/run/egd-pool SSLRandomSeed connect egd:/var/run/egd-pool SSLCertificateFile /usr/local/ssl/certs/cert.cer SSLCertificateKeyFile /usr/local/ssl/bin/private.key /VirtualHost and it throws following Error: # ./apachectl startssl Syntax error on line 983 of /kit/conf/httpd.conf: SSLRandomSeed cannot occur within VirtualHost section ./apachectl startssl: httpd could not be started # From: Lutz Jaenicke [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: SSLRandomFIle Error (Apache-mod_ssl) Date: Fri, 15 Nov 2002 22:17:31 +0100 On Fri, Nov 15, 2002 at 09:11:48PM +, Manoj Kithany wrote: Hi: I think I have Apache + mod_ssl on my IBM AIX box. My httpd.conf file contains: --- VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /kit ServerName www.my.server.name ErrorLog logs/log1 SSLRandomFile file /dev/egd-pool 1024 SSLCertificateFile /usr/local/ssl/certs/cert.cer SSLCertificateKeyFile /usr/local/ssl/bin/private.key /VirtualHost --- When I RUN my Apache, I get following Error: --- # ./apachectl startssl Syntax error on line 980 of /kit/conf/httpd.conf: Invalid command 'SSLRandomFile', perhaps mis-spelled or defined by a module not included in the server configuration ./apachectl startssl: httpd could not be started --- Do you know what is the problem? I read the documentation regarding the above since my IBM AIX Box does NOT have /dev/random But you didn't read carefully enough. If you are using an EGD style device, you must explicitely tell: SSLRandomSeed startup egd:/var/run/egd-pool SSLRandomSeed connect egd:/var/run/egd-pool _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLRandomFIle Error (Apache-mod_ssl)
On Fri, 15 Nov 2002, Manoj Kithany wrote: Thanks Lutz: Where to put SSLRandomSeed? Becos I put it in Virtual Host as shown: VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /kit ServerName www.my.server.name ErrorLog logs/log1 #SSLRandomFile file /dev/egd-pool 1024 SSLRandomSeed startup egd:/var/run/egd-pool SSLRandomSeed connect egd:/var/run/egd-pool SSLCertificateFile /usr/local/ssl/certs/cert.cer SSLCertificateKeyFile /usr/local/ssl/bin/private.key /VirtualHost and it throws following Error: # ./apachectl startssl Syntax error on line 983 of /kit/conf/httpd.conf: SSLRandomSeed cannot occur within VirtualHost section ./apachectl startssl: httpd could not be started # The clue here is clearly stated: SSLRandomSeed cannot occur within VirtualHost section, move the SSLRandomSeed directives higher up in the conf file, before the VirtualHost sections. Perhaps more directly under the IfDefine SSL or prior to that. Thanks, Ron DuFresne From: Lutz Jaenicke [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: SSLRandomFIle Error (Apache-mod_ssl) Date: Fri, 15 Nov 2002 22:17:31 +0100 On Fri, Nov 15, 2002 at 09:11:48PM +, Manoj Kithany wrote: Hi: I think I have Apache + mod_ssl on my IBM AIX box. My httpd.conf file contains: --- VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /kit ServerName www.my.server.name ErrorLog logs/log1 SSLRandomFile file /dev/egd-pool 1024 SSLCertificateFile /usr/local/ssl/certs/cert.cer SSLCertificateKeyFile /usr/local/ssl/bin/private.key /VirtualHost --- When I RUN my Apache, I get following Error: --- # ./apachectl startssl Syntax error on line 980 of /kit/conf/httpd.conf: Invalid command 'SSLRandomFile', perhaps mis-spelled or defined by a module not included in the server configuration ./apachectl startssl: httpd could not be started --- Do you know what is the problem? I read the documentation regarding the above since my IBM AIX Box does NOT have /dev/random But you didn't read carefully enough. If you are using an EGD style device, you must explicitely tell: SSLRandomSeed startup egd:/var/run/egd-pool SSLRandomSeed connect egd:/var/run/egd-pool _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
OpenSSL Error (Apache-mod_ssl)
Hi: My Apache is NOT working.the log file shows: [Fri Nov 15 15:35:57 2002] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) [Fri Nov 15 15:35:57 2002] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [Fri Nov 15 15:35:57 2002] [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib I am using Apache 1.3.27, mod_ssl 2.8.11 on IBM AIX 5.1 box. _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
How can I tell if mod_ssl is installed with Apache
I configured and installed mod_ssl with Apache but it does not seam to be working. When I run the ./httpd -l comand on Apache it does not show that mod_ssl.c is installed in Apache this is a list of every thing that is in there. Should it be in there? http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_so.c mod_setenvif.c This is how I configured and installed mod_ssl 1. cd to mod_ssl directory 2. ran this comand ./configure --with-apache=../apache --with-ssl=../openssl --prefix=/home/.autoserv/apache --target=autohttpd --enable-module=rewrite --enable-shared=rewrite --enable-module=proxy --enable-shared=proxy --sysconfdir=/home/.autoserv/apache/conf --htdocsdir=/home/.autoserv/html --cgidir=/home/.autoserv/cgi-bin --sysconfdir=/home/.autoserv/conf --enable-module=ssl --enable-shared=ssl 3. cd ../apache 4. make 5. make certificate 6. make install -- Best regards, rdkurth mailto:[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
please help... mod_ssl seems to overwrite mod_perl and mod_perl seems to overwrite mod_ssl
Hi all, How do I get BOTH mod_perl and mod_ssl built into and working in Apache? I had mod_perl successfully built into my apache to use Authentication hook. Then I added mod_ssl in and I started to get errors from my .htaccess file Error: [Fri Nov 15 14:39:03 2002] [alert] [client 135.2.60.152] /web/content/askLucent/password-reset/cgi-bin/.htaccess: Invalid command 'PerlSetVar', perhaps mis-spelled or defined by a module not included in the server configuration Contents of .htaccess Limit GET POST AuthName NT Domain\Login and Password AuthType Basic #PerlSetVar NT_Controllers 'na02il0015dc00:na02il0015dc01' PerlSetVar NT_Controllers 'na02il0015dc04:na02il0015dc01:NA02IL0015DC02' PerlAuthenHandler Apache::AuthenN2 require valid-user /Limit so i rebuilt mod_perl back into apache and now I get errors of directives from mod_ssl in my httpd.conf file Error: 5e-cts root: /web/server/apache/1.3.22/bin/apachectl stop ; /web/server/apache/1.3.22/bin/apachectl start /web/server/apache/1.3.22/bin/apachectl stop: httpd (no pid file) not running Syntax error on line 1008 of /web/server/apache/1.3.22/conf/httpd.conf: Invalid command 'SSLRandomSeed', perhaps mis-spelled or defined by a module not included in the server configuration /web/server/apache/1.3.22/bin/apachectl start: httpd could not be started Lines from httpd.conf: SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLRandomSeed startup file:/dev/random 512 SSLRandomSeed connect file:/dev/random 512 I need to use both mod_perl and mod_ssl and it seems like keeps overwriting the other. How do I change this so I can get them built in together? Thank you Jem __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Is anyone successfully running OWA2K behind Apache/mod_ssl?
In message [EMAIL PROTECTED] you write: | 1. Obtain Apache Mod mod_proxy_add_forward.c |Modify the code to set the header font-end-https: on. | |add the following | |/* turn on front-end-https header, so OWA will put HTTPS into urls */ |ap_table_set(r-headers_in, front-end-https,on); Or modify modules/proxy/proxy_http.c. With apache-1.3.27/mod_ssl-2.8.12, the relevant code section is at line 400 +/-. This is simpler, and will avoid the problems with module order described in mod_proxy_add_forward.c In addition, I would add a new config directive, say FrontEndHTTPS of type flag to be able to control this on a per-vhost basis. Maybe I'll give it a try next weekend. (Anybody care to submit this as a feature request for future mod_ssl?) vb __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache + mod_ssl - config/install
Hi Experts! I want to INSTALL and CONFIGURE my APACHE 1.3.27 for SSL. SO, I got mod_ssl from the site and installed it using #pwd /opt/freeware/src/packages/SOURCES/mod_ssl-2.8.11-1.3.27 # ./configure --with-apache=../apache_1.3.27 --with-ssl=/Downloads/openssl-0.9.6g --with-crt=/usr/local/ssl/bin/cert.cer --with-key=/usr/local/ssl/bin/private.key --prefix=/kit --enable-shared=ssl #cd .. #cd apache_1.3.27 #make #make certificate #make install This DOCUMENTATION was given in README file in the above directory. Later when I check if my APACHE was configured for SSL by using: # ./httpd -l Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_so.c mod_setenvif.c suexec: disabled; invalid wrapper /kit/bin/suexec # As Seen above, MOD_SSL Module is NOT LISTED above. When I Installed/configured (as shown above) I did not receive any ERROR - but still could NOT see if MOD_SSL was configured? Any suggestions/hints _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache + mod_ssl - config/install
you used --enable-shared=ss, so mod-ssl is a shared module, not part of the core compiled in stuff in the httpd binary you made. Now you have to load the module in the httpd.conf file and configure the ssl related settings to get it to run for you when you apachectl startssl. Most the settings and directives should be in the default httpd.conf file generated in the make;makeinstall, and await you editing refinements. the man pages and online documentation at the apche and mod-ssl sites should guide you through any settings not clarified fully in the comments in the default httpd.conf file Thanks, Ron DuFresne On Thu, 14 Nov 2002, Manoj Kithany wrote: Hi Experts! I want to INSTALL and CONFIGURE my APACHE 1.3.27 for SSL. SO, I got mod_ssl from the site and installed it using #pwd /opt/freeware/src/packages/SOURCES/mod_ssl-2.8.11-1.3.27 # ./configure --with-apache=../apache_1.3.27 --with-ssl=/Downloads/openssl-0.9.6g --with-crt=/usr/local/ssl/bin/cert.cer --with-key=/usr/local/ssl/bin/private.key --prefix=/kit --enable-shared=ssl #cd .. #cd apache_1.3.27 #make #make certificate #make install This DOCUMENTATION was given in README file in the above directory. Later when I check if my APACHE was configured for SSL by using: # ./httpd -l Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_so.c mod_setenvif.c suexec: disabled; invalid wrapper /kit/bin/suexec # As Seen above, MOD_SSL Module is NOT LISTED above. When I Installed/configured (as shown above) I did not receive any ERROR - but still could NOT see if MOD_SSL was configured? Any suggestions/hints _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache + mod_ssl (OpenSSL Error)
when I start my Apache it shows following Error: - # ./apachectl startssl ./apachectl startssl: httpd could not be started # - Later when I check /log/error_log file I see - [Thu Nov 14 11:10:01 2002] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) [Thu Nov 14 11:10:01 2002] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [Thu Nov 14 11:10:01 2002] [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib - Please hepl me out on this! THANKS! _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Bugfix for compiling mod_ssl-2.4.10-1.3.9 against openssl-0.9.6g.
I had trouble thismorning compiling mod_ssl-2.4.10-1.3.9 against
openssl-0.9.6g. The problem was well documented in the following two posts
on your archives.
http://www.mail-archive.com/modssl-users;modssl.org/msg15050.html
http://www.mail-archive.com/modssl-users;modssl.org/msg09673.html
I didn't find the answer there, but I did find the answer in the latest rev's
source code and wanted to share it somewhere publically accessable.
Here is a snip of compiler barf for google to index:
-DSSL_COMPAT -I/export/developers/rmb/open_ssl/src/openssl-0.9.6/include
-DMOD_SSL_VERSION=\2.4.10\ ssl_util_ssl.c mv ssl_util_ssl.o
ssl_util_ssl.lo
ssl_util_ssl.c:145: conflicting types for `d2i_PrivateKey_bio'
/export/developers/rmb/open_ssl/src/openssl-0.9.6/include/openssl/x509.h:779:
previous declaration of `d2i_PrivateKey_bio'
This fix lies in modifying pkg.modssl/ssl_util_ssl.c like so:
/* OLD BROKEN CODE
**static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY *key)
**{
** return ((EVP_PKEY *)ASN1_d2i_bio(
** (char *(*)())EVP_PKEY_new,
** (char *(*)())d2i_PrivateKey,
** (bio), (unsigned char **)(key)));
**}
*/
/*NEW CHEERY BRIGHT CODE*/
#if SSL_LIBRARY_VERSION = 0x00904100
static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key)
{
return ((EVP_PKEY *)ASN1_d2i_bio(
(char *(*)())EVP_PKEY_new,
(char *(*)())d2i_PrivateKey,
(bio), (unsigned char **)(key)));
}
#endif
Cheers,
-Ray Ferguson.
--
ONLY the STRONG SURVIVE...all those DOWNWIND PASSOUT
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Apache + mod_ssl (OpenSSL Error)
Hi Experts! I want to INSTALL and CONFIGURE my APACHE 1.3.27 for SSL. I am using IBM AIX box. So, I got mod_ssl from the IBM site and installed it in following way(after READing INSTALL file for 2 hrs;-( #pwd /opt/freeware/src/packages/SOURCES/mod_ssl-2.8.11-1.3.27 # ./configure --with-apache=../apache_1.3.27 --with-ssl=/Downloads/openssl-0.9.6g --with-crt=/usr/local/ssl/bin/cert.cer --with-key=/usr/local/ssl/bin/private.key --prefix=/kit --enable-shared=ssl #cd .. #cd apache_1.3.27 #make #make certificate #make install This DOCUMENTATION was given in README file in the above directory. Later, I start my APACHE for SSL as shown below and get ERROR: #./apachectl startssl ./apachectl startssl: httpd could not be started So, I finally READ the LOG file error_log and checked it shows: [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib Do you know what this error would be? I have already installed EGD entrophy and is it stored in /dev/egd-pool Any links/pointers on this is appreciated. Thanks! _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
apache and mod_ssl
hi guys! i have following question: i installed an apache webserver with mod_ssl. on this server serveral projekts are available, what i want is, that only one directory (projekt)is accessible viahttps/ssl (only https/ssl) for all users (also internet) and the rest of the site should ONLY be acccessible via http. is that possible? i played around with my httpd.conf, but i didn't get it. thx steve
RE: Is anyone successfully running OWA2K behind Apache/mod_ssl?
I'd suggest that you disable the basic authentication as well, once it all works. This does mean that users would have to enter their username and password twice, but does keep out worms like Code Red. After all, your exchange server isn't a public site. On Exchange 5.5/IIS4 we've disabled both Challenge/Response (as this prevents Netscape or Mozilla getting into your mailbox) and basic authentication. We do get a niggly message your password will expire in 0 days, but we just ignore it. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If we could learn one thing from September 11th 2001, it would be the utter absurdity of moral relativism. -Original Message- From: David Marshall [mailto:dmarshall;esilicon.com] Sent: 07 November 2002 14:58 To: [EMAIL PROTECTED] Subject: RE: Is anyone successfully running OWA2K behind Apache/mod_ssl? Jason, I had this running on RedHat 7.2. Apache 1.3.22/Mod_SSL Here are the steps... 1. Obtain Apache Mod mod_proxy_add_forward.c Modify the code to set the header font-end-https: on. add the following /* turn on front-end-https header, so OWA will put HTTPS into urls */ ap_table_set(r-headers_in, front-end-https,on); Compile and install mod_proxy_add_forward.c. I used command apxs -i -c mod_proxy_add_forward.c 2. Add a line to your httpd.conf file: LoadModule proxy_add_forward_module /usr/lib/apache/1.3/mod_proxy_add_forward.so replacing /usr/lib/apache/1.3 with the path that apxs installs the module. 3. Add the following directives to the virtual host section of your apache configuration files, replacing FQDN with the fully qualified domain name you want to use, NOT the address of the exchange server: ProxyPass /exchange/ http://FQDN/exchange/ ProxyPass /public/ http://FQDN/public/ ProxyPass /exchweb/ http://FQDN/exchweb/ 4. Make sure that external dns resolves the FQDN to the Apache proxy server 5. Modify your /etc/hosts on the Apache proxy server Add the FQDN to resolve to the ip address of the OWA server 6. On the Server where OWA is installed, Turn off Windows Integrated Authentication run Internet Services Manager ( Programs-Administrative Tools-Internet Services Manager ) Expand to your OWA website and Right-click the OWA site and select Properties, on the resulting Dialog, select the Directory Security Tab, Then Edit the Anonymous access and authentication control, remove Windows Integrated Authentication and turn on Basic Authentication note: you must repeat this step every time you restart IIS or reboot this machine. I must tell that although the solution worked, we did not put this solution into production. The biggest drawbacks to this solution were. a. Every time you reboot/restart IIS on the System where OWA is installed, your security settings will be reset adding Windows Integrated Authentication back to the virtual directories. We have found no way to resolve this. b. We had to add a virtual host for every OWA site on Apache that we needed to host. In my environment we have 3 exchange servers and 2 routing groups. This meant that as we changed our Exchange Topology, that we would have to re-work the Apache front-end proxy. c. Users cannot use the password change option. After reading the Microsoft Exchange Front-End/Backend documents http://www.microsoft.com/downloads/release.asp?releaseid=43997 , We decided to evaluate running a Front-End OWA server under SSL with HTTP disabled on a separate system from the other Exchange Servers. In the final analysis, we decided that this was the right answer for us. David Marshall -Original Message- From: Jason Haar [mailto:Jason.Haar;trimble.co.nz] Sent: Thursday, November 07, 2002 12:04 AM To: [EMAIL PROTECTED] Subject: Is anyone successfully runnin OWA2K behind Apache/mod_ssl? We're using Apache/mod_ssl to provide a reverse-proxy to some backend Web servers, and want to add OWA2K to the list (that's Outlook Web Access for Microsoft Exchange 2000). It works fine with OWA from Exchange 5.5 - which was basically just HTML plus some javascript - but OWA2K (under IE5+) uses all sorts of whizzy M$ stuff, and doesn't work! If you access OWA2K with a non-IE browser (e.g. Mozilla), OWA2K reverts to the older format and works fine - it just doesn't work well from IE (ironic isn't it :-) It's pretty flakey. IE5.0 works pretty well, IE5.5 works 20% of the time and IE6 just dies. It goes without saying that all these browsers work fine when talking directly to the OWA2K server: it's only via the RP that they fail. I've done packet sniffs and compares and can't see anything out of the ordinary. I think it's
RE: Is anyone successfully running OWA2K behind Apache/mod_ssl?
Oops, I made a big mistake! I'd suggest that you disable *anonymous* access as well, once it all works. This does mean that users would have to enter their username and password twice, but does keep out worms like Code Red. After all, your exchange server isn't a public site. On Exchange 5.5/IIS4 we've disabled both Challenge/Response (as this prevents Netscape or Mozilla getting into your mailbox) and *anonymous* access. We do get a niggly message your password will expire in 0 days, but we just ignore it. If you followed my last message, you'd never get in. Doh! - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If we could learn one thing from September 11th 2001, it would be the utter absurdity of moral relativism. -Original Message- From: David Marshall [mailto:dmarshall;esilicon.com] Sent: 07 November 2002 14:58 To: [EMAIL PROTECTED] Subject: RE: Is anyone successfully running OWA2K behind Apache/mod_ssl? Jason, I had this running on RedHat 7.2. Apache 1.3.22/Mod_SSL Here are the steps... 1. Obtain Apache Mod mod_proxy_add_forward.c Modify the code to set the header font-end-https: on. add the following /* turn on front-end-https header, so OWA will put HTTPS into urls */ ap_table_set(r-headers_in, front-end-https,on); Compile and install mod_proxy_add_forward.c. I used command apxs -i -c mod_proxy_add_forward.c 2. Add a line to your httpd.conf file: LoadModule proxy_add_forward_module /usr/lib/apache/1.3/mod_proxy_add_forward.so replacing /usr/lib/apache/1.3 with the path that apxs installs the module. 3. Add the following directives to the virtual host section of your apache configuration files, replacing FQDN with the fully qualified domain name you want to use, NOT the address of the exchange server: ProxyPass /exchange/ http://FQDN/exchange/ ProxyPass /public/ http://FQDN/public/ ProxyPass /exchweb/ http://FQDN/exchweb/ 4. Make sure that external dns resolves the FQDN to the Apache proxy server 5. Modify your /etc/hosts on the Apache proxy server Add the FQDN to resolve to the ip address of the OWA server 6. On the Server where OWA is installed, Turn off Windows Integrated Authentication run Internet Services Manager ( Programs-Administrative Tools-Internet Services Manager ) Expand to your OWA website and Right-click the OWA site and select Properties, on the resulting Dialog, select the Directory Security Tab, Then Edit the Anonymous access and authentication control, remove Windows Integrated Authentication and turn on Basic Authentication note: you must repeat this step every time you restart IIS or reboot this machine. I must tell that although the solution worked, we did not put this solution into production. The biggest drawbacks to this solution were. a. Every time you reboot/restart IIS on the System where OWA is installed, your security settings will be reset adding Windows Integrated Authentication back to the virtual directories. We have found no way to resolve this. b. We had to add a virtual host for every OWA site on Apache that we needed to host. In my environment we have 3 exchange servers and 2 routing groups. This meant that as we changed our Exchange Topology, that we would have to re-work the Apache front-end proxy. c. Users cannot use the password change option. After reading the Microsoft Exchange Front-End/Backend documents http://www.microsoft.com/downloads/release.asp?releaseid=43997 , We decided to evaluate running a Front-End OWA server under SSL with HTTP disabled on a separate system from the other Exchange Servers. In the final analysis, we decided that this was the right answer for us. David Marshall -Original Message- From: Jason Haar [mailto:Jason.Haar;trimble.co.nz] Sent: Thursday, November 07, 2002 12:04 AM To: [EMAIL PROTECTED] Subject: Is anyone successfully runnin OWA2K behind Apache/mod_ssl? We're using Apache/mod_ssl to provide a reverse-proxy to some backend Web servers, and want to add OWA2K to the list (that's Outlook Web Access for Microsoft Exchange 2000). It works fine with OWA from Exchange 5.5 - which was basically just HTML plus some javascript - but OWA2K (under IE5+) uses all sorts of whizzy M$ stuff, and doesn't work! If you access OWA2K with a non-IE browser (e.g. Mozilla), OWA2K reverts to the older format and works fine - it just doesn't work well from IE (ironic isn't it :-) It's pretty flakey. IE5.0 works pretty well, IE5.5 works 20% of the time and IE6 just dies. It goes without saying that all these browsers work fine when talking directly to the OWA2K server: it's only via the RP that they fail. I've done
Is anyone successfully runnin OWA2K behind Apache/mod_ssl?
We're using Apache/mod_ssl to provide a reverse-proxy to some backend Web servers, and want to add OWA2K to the list (that's Outlook Web Access for Microsoft Exchange 2000). It works fine with OWA from Exchange 5.5 - which was basically just HTML plus some javascript - but OWA2K (under IE5+) uses all sorts of whizzy M$ stuff, and doesn't work! If you access OWA2K with a non-IE browser (e.g. Mozilla), OWA2K reverts to the older format and works fine - it just doesn't work well from IE (ironic isn't it :-) It's pretty flakey. IE5.0 works pretty well, IE5.5 works 20% of the time and IE6 just dies. It goes without saying that all these browsers work fine when talking directly to the OWA2K server: it's only via the RP that they fail. I've done packet sniffs and compares and can't see anything out of the ordinary. I think it's an OWA issue, or an IE security-context issue, but can't say for sure. Anyone else got any stories about this? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Is anyone successfully running OWA2K behind Apache/mod_ssl?
Jason, I had this running on RedHat 7.2. Apache 1.3.22/Mod_SSL Here are the steps... 1. Obtain Apache Mod mod_proxy_add_forward.c Modify the code to set the header font-end-https: on. add the following /* turn on front-end-https header, so OWA will put HTTPS into urls */ ap_table_set(r-headers_in, front-end-https,on); Compile and install mod_proxy_add_forward.c. I used command apxs -i -c mod_proxy_add_forward.c 2. Add a line to your httpd.conf file: LoadModule proxy_add_forward_module /usr/lib/apache/1.3/mod_proxy_add_forward.so replacing /usr/lib/apache/1.3 with the path that apxs installs the module. 3. Add the following directives to the virtual host section of your apache configuration files, replacing FQDN with the fully qualified domain name you want to use, NOT the address of the exchange server: ProxyPass /exchange/ http://FQDN/exchange/ ProxyPass /public/ http://FQDN/public/ ProxyPass /exchweb/ http://FQDN/exchweb/ 4. Make sure that external dns resolves the FQDN to the Apache proxy server 5. Modify your /etc/hosts on the Apache proxy server Add the FQDN to resolve to the ip address of the OWA server 6. On the Server where OWA is installed, Turn off Windows Integrated Authentication run Internet Services Manager ( Programs-Administrative Tools-Internet Services Manager ) Expand to your OWA website and Right-click the OWA site and select Properties, on the resulting Dialog, select the Directory Security Tab, Then Edit the Anonymous access and authentication control, remove Windows Integrated Authentication and turn on Basic Authentication note: you must repeat this step every time you restart IIS or reboot this machine. I must tell that although the solution worked, we did not put this solution into production. The biggest drawbacks to this solution were. a. Every time you reboot/restart IIS on the System where OWA is installed, your security settings will be reset adding Windows Integrated Authentication back to the virtual directories. We have found no way to resolve this. b. We had to add a virtual host for every OWA site on Apache that we needed to host. In my environment we have 3 exchange servers and 2 routing groups. This meant that as we changed our Exchange Topology, that we would have to re-work the Apache front-end proxy. c. Users cannot use the password change option. After reading the Microsoft Exchange Front-End/Backend documents http://www.microsoft.com/downloads/release.asp?releaseid=43997 , We decided to evaluate running a Front-End OWA server under SSL with HTTP disabled on a separate system from the other Exchange Servers. In the final analysis, we decided that this was the right answer for us. David Marshall -Original Message- From: Jason Haar [mailto:Jason.Haar;trimble.co.nz] Sent: Thursday, November 07, 2002 12:04 AM To: [EMAIL PROTECTED] Subject: Is anyone successfully runnin OWA2K behind Apache/mod_ssl? We're using Apache/mod_ssl to provide a reverse-proxy to some backend Web servers, and want to add OWA2K to the list (that's Outlook Web Access for Microsoft Exchange 2000). It works fine with OWA from Exchange 5.5 - which was basically just HTML plus some javascript - but OWA2K (under IE5+) uses all sorts of whizzy M$ stuff, and doesn't work! If you access OWA2K with a non-IE browser (e.g. Mozilla), OWA2K reverts to the older format and works fine - it just doesn't work well from IE (ironic isn't it :-) It's pretty flakey. IE5.0 works pretty well, IE5.5 works 20% of the time and IE6 just dies. It goes without saying that all these browsers work fine when talking directly to the OWA2K server: it's only via the RP that they fail. I've done packet sniffs and compares and can't see anything out of the ordinary. I think it's an OWA issue, or an IE security-context issue, but can't say for sure. Anyone else got any stories about this? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Is anyone successfully runnin OWA2K behind Apache/mod_ssl?
In message [EMAIL PROTECTED] you write: | We're using Apache/mod_ssl to provide a reverse-proxy to some backend Web | servers, and want to add OWA2K to the list (that's Outlook Web Access for | Microsoft Exchange 2000). | Anyone else got any stories about this? Two things: 1) For me, it seems to work with IE only if I explicitly disallow any authentication scheme but Basic. IE defaults to NTLM which doesn't seem to work across Apache reverse. 2) OWA inserts a base href=http://exchange.server.name/; / HTML tag which means that you may have to play dirty tricks with DNS and/or nsswitch.conf to get it to work from the outside. vb __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for apache2 2.0.43
Paetsch, Christian (BearingPoint extern) wrote: Hello, I'm looking for the modul mod_ssl for the new apache 2.0.43 server running on a window32 platform. I can only find information about the mod_ssl for apache 1.3. Can I still use the latest version of mod_ssl? Apache 2.x has the ssl code in the main distribution. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
